![]() You can extend many independent chain searches from the base search, and you can extend many second level chains that use the first level chain as their primary data source, but you cannot have a third level of chains that use the a second level chain as a primary data source. Search 3 is now the following: base search + Chain search 2a + Chain search 2b Search 2 is now the following: base search + Chain search 2 + Chain search 2a Search 1 is now the following: base search + Chain search 1 There are many different combinations you can use once you've established the base search, for example: | where status < 500 | stats sum(count) as "UserError" You can further extend a chain search by one additional search. Index=_internal | stats count by status | where status >= 400 | where status = 400 Index=_internal | stats count by status | where status = 400 | stats sum(count) as "Failed" When these searches begin with the same initial SPL search sections, you can use these sections as a base search and extend it using additional, chained, data source searches that will drive the same visualizations, using less computing power because the base search is only run one time for all of the visualizations.įor example, three data sources have the following three searches which begin with the same first two search sections: When you use a separate search for each visualization on a large dashboard, you can use a lot of computing power. Use a ds.chain search with a base search to chain searches together ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |