topic Re: help on base search in Splunk Search

help on base search

jip31 — Fri, 22 Oct 2021 06:17:10 GMT

hello

I try to use a base search between two single panel

the first single panel is on the last 24 h and the second panel must be on the last 7 days

but when i put <earliest>-7d@h</earliest><latest>now</latest> in the second panel I have a validation warning!

what i have to do please?

<row> <panel> <single> <search id="test"> <query>index=toto sourcetype=tutu | fields signaler | stats dc(signaler)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </single> </panel> <panel> <single> <search base="test"> <query>| stats dc(signaler)</query> </search> </single> </panel>

Re: help on base search

gcusello — Fri, 22 Oct 2021 06:40:56 GMT

Hi @jip31,

base searches must be outside panels and in each panel, you have to put the specific filter of the panel, in other words, something like this:

<search id="test"> <query> index=toto sourcetype=tutu | fields signaler | stats dc(signaler) </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <row> <panel> <single> <search base="test"> <query> ... </query> </search> </single> </panel> <panel> <single> <search base="test"> <query> ... </query> </search> </single> </panel>

But in your case you cannot use a base search because you have the same search but two different timeframes.

If you would use a base search you have to modify your search:

<search id="test"> <query> index=toto sourcetype=tutu | eval type=if(_time-now()<86400,"Last24 hours","Last week") | fields signaler type | stats dc(signaler) BY type </query> <earliest>-7d@d</earliest> <latest>now</latest> </search> <row> <panel> <single> <search base="test"> <query> | search type="Last24 hours" </query> </search> </single> </panel> <panel> <single> <search base="test"> <query> | search type="Last week" </query> </search> </single> </panel>

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/Savedsearches#Post-process_searches_2 or using the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Ciao.

Giuseppe

Re: help on base search

jip31 — Fri, 22 Oct 2021 06:49:53 GMT

perfect gcusello thanks

Re: help on base search

gcusello — Fri, 22 Oct 2021 07:24:33 GMT

Hi @jip31,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: help on base search

jip31 — Fri, 22 Oct 2021 07:46:13 GMT

just a little issue when I use

| eval type=if(_time-now()<86400,"Last24 hours","Last week")

I have an "unencoded < " message in my xml

Re: help on base search

gcusello — Fri, 22 Oct 2021 10:45:11 GMT

Hi @jip31,

if you put the search directly on dashboard XML source, you have to replace "<" with "<".

Ciao.

Giuseppe