Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Chart showing "no results found" in Dashboard with using base search

soulmaker
Explorer
‎07-02-2024 04:08 PM

Hello, 

I have some issues where using base search is not working on my dashboard. Interestingly, if I click on the search icon, it will come up with valid search query and it will shows some result. However, on my dashboard itselt it shows "no results found".

Below is currently what I have set:

<search id="prod_request">
  <query>type="request" "request.path"="prod/"</query>
  <earliest>$timerange.earliest$</earliest>
  <latest>$timerange.latest$</latest>
  <sampleRatio>1</sampleRatio>
  <refresh>10m</refresh>
  <refreshType>delay</refreshType>
</search>
<chart>
  <title>Top 10 request</title>
  <search base="prod_request">
    <query>| stats count by auth.account_namespace | sort - count | head 10 | transpose 0 header_field=auth.account_namespace column_name=account_namespace | eval account_namespace=""</query>
  </search>
  <option name="charting.axisTitleX.text">Account Namespace</option>
  <option name="charting.chart">bar</option>
  <option name="charting.chart.showDataLabels">all</option>
  <option name="charting.chart.stackMode">default</option>
  <option name="charting.drilldown">all</option>
  <option name="charting.legend.placement">right</option>
  <option name="charting.seriesColors">[0x1e93c6, 0xf2b827, 0xd6563c, 0x6a5c9e, 0x31a35f, 0xed8440, 0x3863a0, 0xa2cc3e, 0xcc5068, 0x73427f]</option>
  <option name="refresh.display">progressbar</option>
</chart>
Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-02-2024 04:52 PM

You are using base searches wrongly. Firstly you should be using a transforming command in your base search, not just loading events - that is not what base searches are intended for and can often make your dashboard perform badly.

If you really need to have events then you need to include a | fields statement with the fields you want, but remember, base searches are limited and this is definitely NOT a good way to use a base search.

You should really put your stats command as part of the base search, but that will of course depend on what else you want to use the search for.

 

0 Karma
Reply

soulmaker
Explorer
‎07-02-2024 05:55 PM

Thanks @bowesmana for your comment. Very new to Splunk and not really sure if I do need base search, but all I want really is for these events to only search once for my dashboard to not consume a lot of memory when it is loading or refreshing. 

At the moment I do have 5 chart on my dashboard and I need to get the data from that event with different path to search. All the event are from that query and what is happening now is trying to do a query of that for 5x. I though base search would be the best thing to use so it will only query once on my dashboard. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-02-2024 06:05 PM

Optimise at the END of your dashboard rather than at the start.

This is not a good use of a base search - so I would first work out all your searches then MAYBE you can use a base search to optimise away when you are happy with the searches.

You will consume more memory and things will be slower because all post processing will occur on the search head rather than possible on the distributed indexers.

If you can give an example of the other searches, then there may be an optimisation, but start simple.

An example of where a base search may be suitable could be

type="request" "request.path"="prod/"
| stats count by auth.account_namespace request.path

and then you might have 2 post processing searches that do

| stats sum(count) as count by auth.account_namespace 
| sort - count 
| head 10 
| transpose 0 header_field=auth.account_namespace column_name=account_namespace 
| eval account_namespace=""

and

| stats sum(count) as count by request.path
...

so you are using the base search to take stats across 2 dimensions and then each of the post processing search is calculating from those existing aggregations.

See this article on post processing/base searches. 

https://docs.splunk.com/Documentation/Splunk/9.2.1/Viz/Savedsearches#Post-process_searches_2

 

0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...