An example lookup report representing a view based on a saved report in Splunk.
This is an example of a report view. These views are generated from saved reports in Splunk.
The adapter will use the Splunk APIs to process the following query components; the adapter processes other parts of the query client-side in memory.
Runs a saved search, or report, and returns the search results of a saved search. If the search contains replacement placeholder terms, such as $replace_me$, the search processor replaces the placeholders with the strings you specify.
- SELECT * FROM mysearch WHERE replace_me='value'
Will generate the following search statement:
- | savedsearch mysearch replace_me="value"
All replacement placeholder terms will be dynamic and saved as Pseudo-Columns.
All columns support server-side processing for the following operators and functions:
- Operators: =, <, >, >=, <=, IN, IS NULL, IS NOT NULL, NOT, LIKE
- Functions: AVG, SUM, MIN, MAX, COUNT, STDEV, STDEVP, VAR, VARP
LIMIT, ORDER BY, GROUP BY, and HAVING are also processed server-side. An exception is the case when in the selected columns, there are fields that are not in the GROUP BY, and GROUP BY, criteria, and limiting are handled client-side.
In the case when an unsupported criteria or function is used, all processing will be completed client-side (except selecting specified fields). This is also the case when a SELECT statement has a column that is not in the GROUP BY clause.
For example, the adapter processes the following queries server-side:
SELECT Country, Subregion as Sub FROM LookUpReport WHERE Iso2 != '123' OR continent = 'Europe' AND iso3 NOT IN ('example_1', 'example_2') ORDER BY Country DESC LIMIT 5 SELECT AVG(Iso2), Subregion FROM LookUpReport GROUP BY Subregion HAVING AVG(Iso2) > 0