Knowledge Management

How to find the search string by using search id/ref/base search ?

pravinvram
Engager

Below is the sample dashboard xml where i can see the tags of search id , ref , base search .. but i need to get hold of the full query which are used in these references ?
Any help to find the same will be much appreciated

0 Karma

woodcock
Esteemed Legend

Check out David Paper's excellent dashboard that analyzes searches:
https://splunk-usergroups.slack.com/files/U04JY7N3G/FFGJD40AJ/extended_search_reporting.xml

0 Karma

niketn
Legend

@pravinvram , there are two types of search you are looking at:
1) Post Process Searches:
Where there is a Base Search which run to return a statistical output (using transforming command like stats, timechart etc.). The base search is given some ID for example id="myBaseSearch1" and the ID is then used by a post-process search to reuse the result from the Base Search and prepare a different statistical output. The Post-Process search refers to base search using syntax like base="myBaseSearch1". This process can be cascaded to perform recursive post-processing.
So you can search for search IDs within the dashboard to see where they have been used for Post-Processing.

2) Refer a Saved Search in Dashboard Query: Here you can add reference to a saved search in your dashboard using ref="<yourSavedSearchName>". For each Saved Search name you can navigate to Report view and find out respective Report Name.

Please refer to attached Splunk Documentation links and try out the examples to understand them better. You can also check out Splunk Dashboard Examples app to check out and learn from actual implementation of these concepts.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...