Book Image

Implementing Splunk (Update)

Book Image

Implementing Splunk (Update)

Overview of this book

Table of Contents (20 chapters)
Implementing Splunk Second Edition
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Features replaced


Moving along, in Splunk version 6.2, the simple XML <searchString>, <searchTemplate>, <searchName>, and <searchPostProcess> elements are replaced by the new <search> element.

The following is a (two panel) dashboard using the <search> tag and the stats command in version 6.2 to deal with post-processing limitations. First, the query (the search) is defined at the dashboard level (not within any panel). This is our base search (notice the search ID):

<dashboard>
 <label>Dashboard with post-process search</label>
 <!-- Base search cannot pass more than 10,000 events to post-process searches-->
 <!—This dashboard uses the stats transforming command -->
 <!-- This limits events passed to post-process search -->
 <search id="baseSearch">
  <query>sourcetype=tm1* dimension | stats count by date_month, date_wday</query>
 </search>
 <row>

Now, within our dashboard panels, the search...