When using the following Dashboard and check the job.resultCount for the table element, it returns the number of the base search $QUERY$ , not that of the filtered search $QUERY$ | where $FILTER$=1 . How do I obtain that number of results? <dashboard> <search id="baseSearch"> <query>$QUERY$</query> </search> <row> <table> <search base="baseSearch"> <query>| where $FILTER$=1</query> <progress] <condition match="'job.resultCount' ] 1"> <set token="check">true</set> </condition> <condition> <set token="check">false</set> </condition> </progress> &lt;/search&gt; </table> </panel> </row> </dashboard> ... View more

I tried to do the following in a dashboard: First declare two base searches, the second one using the first one: <search id="baseSearch1"> <query> [QUERY1] </query> </search> <search base="baseSearch1" id="baseSearch2"> <query> [QUERY2] </query> </search> <row> <panel> <single> <search base="baseSearch2"> <query> [QUERY3]</query> </search> </single> </panel> </row> Hoping to end up with a combined query result for [QUERY1] | [QUERY2] |[QUERY3] . Unfortunately, this did not seem to work. (Splunk 6.3) However, when click the magnifiyng glass below the dashboard element I'm sent to the search interface with the combined query and the results (!) Suggesting that I might be on the right track to somehow implement a nested base search. I was wondering whether this was a known (solvable?) issue or perhaps a bug? ... View more

Is it possible to setup the DMC to distrubuted mode through the CLI? How could this be achieved? ... View more