Moving along, in Splunk version 6.2, the simple XML <searchString>
, <searchTemplate>
, <searchName>
, and <searchPostProcess>
elements are replaced by the new <search>
element.
The following is a (two panel) dashboard using the <search>
tag and the stats
command in version 6.2 to deal with post-processing limitations. First, the query (the search) is defined at the dashboard level (not within any panel). This is our base search (notice the search ID):
<dashboard> <label>Dashboard with post-process search</label> <!-- Base search cannot pass more than 10,000 events to post-process searches--> <!—This dashboard uses the stats transforming command --> <!-- This limits events passed to post-process search --> <search id="baseSearch"> <query>sourcetype=tm1* dimension | stats count by date_month, date_wday</query> </search> <row>
Now, within our dashboard panels, the search...