Dashboard - Base search results differs from no same query results when query is fully specified

afsku — Mon, 22 Mar 2021 19:52:38 GMT

Hi,

I have two identical queries on the dashboard, the only difference - one is based on previously defined search results. They produce very different charts however, here is the code and screenshots:

<form> <search id="events_search"> <query> index = "*" | fields * </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="time_token"> <label>Time</label> <default> <earliest>-48h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <chart> <title>Errors (Based on events_search query)</title> <search base="events_search"> <query> search level IN ("error", "fatal") | timechart count </query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <chart> <title>Errors (Not based on any existing query)</title> <search> <query> index = "*" | fields * | search level IN ("error", "fatal") | timechart count </query> <earliest>-48h@h</earliest> <latest>now</latest> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>

So I wonder if it is a bug or some sort of known behavior?

Re: Dashboard - Base search results differs from no same query results when query is fully specified

isoutamo — Mon, 22 Mar 2021 21:19:20 GMT

This is known limitation of using none transforming base search. It return only xx k (500k if I recall right) results.

r. Ismo

Re: Dashboard - Base search results differs from no same query results when query is fully specified

afsku — Mon, 22 Mar 2021 23:00:13 GMT

Thanks, @isoutamo , I should have read Optimizing Splunk Dashboards with Post-Process Searches , now I got my searches optimized and problem has gone.

topic Re: Dashboard - Base search results differs from no same query results when query is fully specified in Dashboards & Visualizations

Dashboard - Base search results differs from no same query results when query is fully specified

Re: Dashboard - Base search results differs from no same query results when query is fully specified

Re: Dashboard - Base search results differs from no same query results when query is fully specified