Splunk Search

Can anyone explain what is a Splunk Base Search?

splgeek
Explorer

Hello Splunkers

Can anyone explain in simple terms what is a Splunk Base Search?

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The term has two meanings. The first refers to the part of an SPL query prior to the first '|'.

The second is used in dashboards and refers to a search query the results of which are used in the later post-processed searches. See "Post-process searches" in http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The term has two meanings. The first refers to the part of an SPL query prior to the first '|'.

The second is used in dashboards and refers to a search query the results of which are used in the later post-processed searches. See "Post-process searches" in http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches

---
If this reply helps you, Karma would be appreciated.

splgeek
Explorer

Thank you guys

0 Karma

hjauch_splunk
Splunk Employee
Splunk Employee

In the context of IT Service Intelligence, KPI base searches can be used to share a search definition across multiple KPIs that use the same data source. For example, you may have several KPIs that are based on the same sets of source events, but are measuring on different fields. You can create base searches to consolidate these KPIs, reduce search load, and improve search performance.

For info on KPI base searches, see http://docs.splunk.com/Documentation/ITSI/2.4.0/Configure/HowtocreateKPIsearches#Create_KPI_base_sea...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Extending answer from Richard, the first part of the search is the base search. Consider this search:

index=_internal sourcetype=splunkd | stats count by source

The part before first pipe index=_internal sourcetype=splunkd is the base search. While in below search:

| tstats count WHERE index=_internal sourcetype=splunkd by source | table sourcetype

The first portion of the search | tstats count WHERE index=_internal sourcetype=splunkd by source is the base search.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...