https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406897#M4736 <P>@cristiad by base search do you imply you are using Post-Processing? Is the final command in your base search a transforming command or streaming command? Will you be able to provide the query for existing dashboard?</P> <P>Make sure that you do not return all the fields using base search for post-processing and rather use transforming commands like stats. Refer to <A href="http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices">Splunk Docs for Post-Processing Best Practices</A>.</P> Tue, 21 Aug 2018 09:43:31 GMT niketn 2018-08-21T09:43:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406894#M4733 <P>Hi there,</P> <P>I have a strange situation. When I'm using a base search into a dashboard, I have displayed only 4 devices even if when I run the query as a regular search in search app I obtain a greater value.</P> <P>Any ideas?</P> <P>Thank you!</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5557i95D8E4FE5A02B413/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 13 Aug 2018 11:17:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406894#M4733 cristiad 2018-08-13T11:17:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406895#M4734 <P>Can you please elaborate on this? Are you saying that you are using the same query and getting different results when you run it as adhoc regular search and when it is in a dashboard?</P> Tue, 14 Aug 2018 22:49:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406895#M4734 nadlurinadluri 2018-08-14T22:49:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406896#M4735 <P>Yes, the same search is used and I obtain different results.</P> Tue, 21 Aug 2018 08:57:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406896#M4735 cristiad 2018-08-21T08:57:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406897#M4736 <P>@cristiad by base search do you imply you are using Post-Processing? Is the final command in your base search a transforming command or streaming command? Will you be able to provide the query for existing dashboard?</P> <P>Make sure that you do not return all the fields using base search for post-processing and rather use transforming commands like stats. Refer to <A href="http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices">Splunk Docs for Post-Processing Best Practices</A>.</P> Tue, 21 Aug 2018 09:43:31 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406897#M4736 niketn 2018-08-21T09:43:31Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406898#M4737 <P>This seems like you might have a knowledge object { field extraction or a lookup } that isnt set to export globally. </P> <P>Can you share your base search?</P> <P>,This sounds to me like you have some knowledge objects { lookup, field extraction } that dont have global permissions or is exported outside of an app context.. </P> <P>Can you share your base search? </P> Tue, 21 Aug 2018 09:43:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Difference-between-the-results-from-a-visualizations-and-a/m-p/406898#M4737 esix_splunk 2018-08-21T09:43:53Z