Archive
Highlighted

Panels that use basesearch won't display different times

Explorer

I tried taking a look at this question: https://answers.splunk.com/answers/395258/how-to-specify-different-time-ranges-for-each-pane.html?ut...

However, the solution didn't work. I have a basesearch that I want the whole dashboard to use, and I grab the data over a week period. But I want some panels to only display an hour's worth of data. However, they just reset to showing the whole week's worth of data instead.

Here's part of my dashboard.

<dashboard>
  <search id="baseSearch">
    <query>index=salt source=/var/log/salt/master Published command details NOT find_job</query>
    <earliest>@w0</earliest>
    <latest>now</latest>
  </search>
  <label>Salt Today</label>
  <row>
    <panel>
      <title>Jobs Run Today</title>
      <single>
        <search base="baseSearch">
          <query>stats count</query>
        </search>
        <earliest>@d</earliest>
        <latest>now</latest>
         </single>
    </panel>

Any ideas?

Highlighted

Re: Panels that use basesearch won't display different times

Motivator

Hello,

Post populating searches work only if your parent search is sliced by time. example:

 <!-- My parent search -->
 <search id="baseSearch">
   <query>index=salt earliest=-1w latest=now source=/var/log/salt/master Published command details NOT find_job|stats count by a,b,c,d,e,f,_time</query>
   </search>
 <!-- post processing reference -->
 <chart>
   <search base="baseSearch">
     <query>| timechart count by a span=15m</query>
    <earliest>-1d</earliest>
  <latest>now</latest>
   </search>
 </chart>
 <chart>

Hope this helps!

Thanks,
Raghav

View solution in original post