Search macro
In a query you often tend do refer to indexes like this "index=main sourcetype=syslog" and then you build this into a dashboard. When your creations grow and you need to change to another index this will be many places to edit your code.Instead go to Settings > Advanced search > Search macro - edit/create your macro, place your index code there "index=main".
Now in your querys in any code refer to this macro instead like this:
`my_macro` sourcetype=syslogWhenever you need to change index or add more index you only have this one place to edit the macro.
No comments:
Post a Comment