Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"No search query provided" when using base search

PanKokos
Path Finder
‎03-21-2016 09:11 AM

Hi,

I have created quite large dashboard and want to add some optimizations to it. I choose to use base search as a starter here. However I could not make it working. Probably I am missing something basic - could anyone point me how to correct this?

form>
  <label></label>
  <fieldset submitButton="true" autoRun="false">
    <!-- fields -->
  </fieldset>
<search id="baseSearch" >
    <query>
      <query>
        sourcetype="source" | 
        where Type="Profiling" | regex Name ="$Name$" | 
        eval ElapsedTime = ElapsedTime_ms / 1000 / 60 | 
        eval Id = if(IsChild="True", ParentId, ID) | 
        eval Reference = "(".RefSec."-".Name.")-".Id        
      </query>
      <earliest>$field3.earliest$</earliest>
      <latest>$field3.latest$</latest>
    </query>
  </search>
  <row>
    <panel>
      <title></title>
      <chart>
        <search base="baseSearch">
          <query> chart sum(ElapsedTime) as TotalTime over Reference by SectionName | addtotals fieldname=OTHER | eval OTHER=2*TotalExecutionTime - OTHER | fields - TotalExecutionTime | sort -OTHER | head 10</query>
        </search>
<!-- rest of the form -->

What I am missing here?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PanKokos
Path Finder
‎03-21-2016 10:25 AM

Found out - finally it was a typo in a query tags in base query:

     <query>
           <query>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PanKokos
Path Finder
‎03-21-2016 10:25 AM

Found out - finally it was a typo in a query tags in base query:

     <query>
           <query>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-21-2016 09:14 AM

The earliest and latest on base search is using a token field3 which I don't see available under fieldset ? Did you miss adding a timerange picker to the form ?

0 Karma
Reply
Solved! Jump to solution

PanKokos
Path Finder
‎03-21-2016 09:25 AM

Hi, I have removed the fieldset from sample to reduce XML. Here it is:

<fieldset submitButton="true" autoRun="false">
    <input type="text" token="Name" searchWhenChanged="false">
      <label>Name</label>
      <default>.*</default>
    </input>
    <input type="time" token="field3" searchWhenChanged="false">
      <label>Time range</label>
      <default>
        <earliest>-6h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-21-2016 09:53 AM

Assuming you're got all the syntax correct, so try adding a table command to the base search, like this

 sourcetype="source" | 
         where Type="Profiling" | regex Name ="$Name$" | 
         eval ElapsedTime = ElapsedTime_ms / 1000 / 60 | 
         eval Id = if(IsChild="True", ParentId, ID) | 
         eval Reference = "(".RefSec."-".Name.")-".Id  
| table Reference SectionName ElapsedTime Id...and all other fields to be used in other post process searches
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...