topic Re: Base search not returning results in Splunk Search

Base search not returning results

b17gunnr — Fri, 21 Mar 2025 18:13:02 GMT

Hello folks,

I trying to use a base search within a dashboard but it consistently returns no results. However, when I click Open in Search the results appear as expected. Any of you fine people have any suggestions?

<dashboard version="1.1" theme="dark"> <search id="recycle"> <query> index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted) </query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <label>Test Dashboard</label> <row> <panel> <title>Abnormal File Deletion and Recycle Patterns</title> <table> <search base="recycle"> <query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" > 50 | sort - "Object Deletions" </query> </search> <option name="drilldown">cell</option> </table> </panel> </row> </dashboard>

Re: Base search not returning results

marnall — Fri, 21 Mar 2025 18:42:35 GMT

I copied your dashboard into my test instance and modified the base search to find events, and it worked.

As a test, could you try saving your full search as a dashboard panel for a new dashboard, then editing the source of that new dashboard to move the first half of the search into a base query?

Re: Base search not returning results

b17gunnr — Fri, 21 Mar 2025 19:05:20 GMT

Hello,

That's actually where I started this. I took a functioning panel with the full query and then ripped out the primary section for the base search. I also tried creating a new dashboard from scratch and get the same empty results. The only thing I can do to so something displays is to comment out all of

<query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" > 50 | sort - "Object Deletions" </query>

If I leave any part of that code in, it fails.

Re: Base search not returning results

marnall — Fri, 21 Mar 2025 19:14:56 GMT

Does it work if you use any other command in the query? E.g. just "| stats count"

Also what version of Splunk are you using, out of curiosity?

Re: Base search not returning results

catdadof3 — Fri, 21 Mar 2025 20:20:15 GMT

I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.

<search id="recycle"> <query> index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted) | fields UserId Whateverotherfields </query> <earliest>-7d@h</earliest> <latest>now</latest> </search>

Re: Base search not returning results

PickleRick — Fri, 21 Mar 2025 20:30:28 GMT

Generally, the base search should be a transforming search and it shouldn't be too big. But if it's a normal event search, you should explicitly list fields you'll be using later (as @catdadof3 pointed out - with fields or table command).

Re: Base search not returning results

b17gunnr — Fri, 21 Mar 2025 22:17:57 GMT

Making this adjustment was just what I needed. I noticed that as I started playing with fields I could change the results, but I was focusing on the secondary query as opposed to the base query. Thank you all for the help and advice.