Hi,
First time I have ever seen this, but curious if its just me.
I have a search defined as:
<search id="device_base_index">
<query>
index=oi sourcetype=device earliest=-30d@d latest=+2d@d
</query>
</search>
And a table as:
<table>
<title>Data Readiness</title>
<search base="device_base_index">
<query>fields deviceId inventoryStatus configStatus
| eval ic=configStatus+"::"+inventoryStatus
| makemv delim="::" ic
| mvexpand ic
| streamstats count by deviceId
| eval status=if(count = 1, "config", "inventory")
| fields deviceId status ic
| chart count over status by ic</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
The dashboard only shows the results from the base_search and doesnt include the results as if it was passed through the the table part of the query. When I click on the magnifying glass, it loads up the full search - so I know the query and base search are attached at some point.
The other strange thing is when I look at the log, it only shows the base search:
Job Details Dashboard OptimizedSearch:
| search (earliest=-30d@d index=oi latest=+2d@d sourcetype=device)
But in the search.log it does see both parts of the full query:
Expanded index search = (index=oi sourcetype=device _time>=1653314400.000 _time<1656079200.000) base lispy: [ AND index::oi sourcetype::device ]
But then it sees the other part of the query:
PARSING: postprocess "fields deviceId inventoryStatus configStatus etc...
search.log contains no ERROR messages.
If I add the query to the table and dont use the base-search it all runs fine.
Any Ideas why the base search and table query are not executed and only the base_search part is executed?
cheers
-brett
Hi @bdunstan,
if you don't use a streaming command in the base search, you need to list all the fields that you want to use in the panels using the field, command.
In other words, at the end of the base search you have to add the above command and you can also remove from the panel
| fields deviceId inventoryStatus configStatus
Ciao.
Giuseppe
Hi @bdunstan,
if you don't use a streaming command in the base search, you need to list all the fields that you want to use in the panels using the field, command.
In other words, at the end of the base search you have to add the above command and you can also remove from the panel
| fields deviceId inventoryStatus configStatus
Ciao.
Giuseppe
Hi Giuseppe,
Thanks. Of all the times I have used a base search, I had never run into this issue or never realised it was required.
You learn something new every day !
Hi @bdunstan ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉