Splunk Dashboard with Base Search


basically there is a dashboard with n panels, but all of the panels use the same search just with some differences in its post processing…

This base search is common to all panels using it:

<search id=”baseSearch“>
index=_internal source=*splunkd.log | stats count by component, log_level

<title>Event count by log level</title>

<!– post-process search –>
<search base=”baseSearch”>
stats sum(count) AS count by log_level


PS: Use |fields * in the base search to force it to run in verbose mode. This is the easiest way to make sure all fields are available to the post processing in Panel Search Queries