Dashboards & Visualizations

Any ideas why the base search and table query are not executed and only the base_search part is executed?

bdunstan
Path Finder

Hi,

First time I have ever seen this, but curious if its just me.

I have a search defined as:
<search id="device_base_index">
<query>
index=oi sourcetype=device earliest=-30d@d latest=+2d@d
</query>
</search>

And a table as:
<table>
<title>Data Readiness</title>
<search base="device_base_index">
<query>fields deviceId inventoryStatus configStatus
| eval ic=configStatus+"::"+inventoryStatus
| makemv delim="::" ic
| mvexpand ic
| streamstats count by deviceId
| eval status=if(count = 1, "config", "inventory")
| fields deviceId status ic
| chart count over status by ic</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>

The dashboard only shows the results from the base_search and doesnt include the results as if it was passed through the  the table part of the query.  When I click on the magnifying glass, it loads up the full search - so I know the query and base search are attached at some point.

The other strange thing is when I look at the log, it only shows the base search:
Job Details Dashboard OptimizedSearch:
| search (earliest=-30d@d index=oi latest=+2d@d sourcetype=device)

But in the search.log it does see both parts of the full query:

Expanded index search = (index=oi sourcetype=device _time>=1653314400.000 _time<1656079200.000)
base lispy: [ AND index::oi sourcetype::device ] 

But then it sees the other part of the query:

PARSING: postprocess "fields deviceId inventoryStatus configStatus etc...

search.log contains no ERROR messages.

 

If I add the query to the table and dont use the base-search it all runs fine.

 

Any Ideas why the base search and table query are not executed and only the base_search part is executed?

 

cheers
-brett

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @bdunstan,

if you don't use a streaming command in the base search, you need to list all the fields that you want to use in the panels using the field, command.

In other words, at the end of the base search you have to add the above command and you can also remove from the panel

| fields deviceId inventoryStatus configStatus

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bdunstan,

if you don't use a streaming command in the base search, you need to list all the fields that you want to use in the panels using the field, command.

In other words, at the end of the base search you have to add the above command and you can also remove from the panel

| fields deviceId inventoryStatus configStatus

Ciao.

Giuseppe

0 Karma

bdunstan
Path Finder

Hi Giuseppe,
Thanks.  Of all the times I have used a base search, I had never run into this issue or never realised it was required. 

You learn something new every day !

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bdunstan ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...