Any ideas why the base search and table query are not executed and only the base_search part is executed?

bdunstan — Thu, 23 Jun 2022 19:13:16 GMT

Hi,

First time I have ever seen this, but curious if its just me.

I have a search defined as:
<search id="device_base_index">
<query>
index=oi sourcetype=device earliest=-30d@d latest=+2d@d
</query>
</search>

And a table as:
<table>
<title>Data Readiness</title>
<search base="device_base_index">
<query>fields deviceId inventoryStatus configStatus
| eval ic=configStatus+"::"+inventoryStatus
| makemv delim="::" ic
| mvexpand ic
| streamstats count by deviceId
| eval status=if(count = 1, "config", "inventory")
| fields deviceId status ic
| chart count over status by ic</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>

The dashboard only shows the results from the base_search and doesnt include the results as if it was passed through the the table part of the query. When I click on the magnifying glass, it loads up the full search - so I know the query and base search are attached at some point.

The other strange thing is when I look at the log, it only shows the base search:
Job Details Dashboard OptimizedSearch:
| search (earliest=-30d@d index=oi latest=+2d@d sourcetype=device)

But in the search.log it does see both parts of the full query:

Expanded index search = (index=oi sourcetype=device _time>=1653314400.000 _time<1656079200.000)
base lispy: [ AND index::oi sourcetype::device ]