Below is the sample dashboard xml where i can see the tags of search id , ref , base search .. but i need to get hold of the full query which are used in these references ?
Any help to find the same will be much appreciated
Check out David Paper's excellent dashboard that analyzes searches:
https://splunk-usergroups.slack.com/files/U04JY7N3G/FFGJD40AJ/extended_search_reporting.xml
@pravinvram , there are two types of search you are looking at:
1) Post Process Searches:
Where there is a Base Search which run to return a statistical output (using transforming command like stats, timechart etc.). The base search is given some ID for example id="myBaseSearch1" and the ID is then used by a post-process search to reuse the result from the Base Search and prepare a different statistical output. The Post-Process search refers to base search using syntax like base="myBaseSearch1"
. This process can be cascaded to perform recursive post-processing.
So you can search for search IDs within the dashboard to see where they have been used for Post-Processing.
2) Refer a Saved Search in Dashboard Query: Here you can add reference to a saved search in your dashboard using ref="<yourSavedSearchName>"
. For each Saved Search name you can navigate to Report view and find out respective Report Name.
Please refer to attached Splunk Documentation links and try out the examples to understand them better. You can also check out Splunk Dashboard Examples app to check out and learn from actual implementation of these concepts.