Dashboards & Visualizations

Creating a base search for dashboard

Path Finder

Hello All, 


I've been trying to create a basesearch for my dashboard. I have included all the fields that both queries have in common, labeled the first basesearch as id and the second as a base. I keep getting a "Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key=expression". I also have a question on the tokens are they only supposed to be on the first query under id basesearch?  What is wrong here with my basesearches here? thanks in advance. 




  <label>Cloned Dashboard </label>

  <search id="basesearch"> <----(This is the start of my base search)


      (index=dmx_rapper.xmn  $tok_eco_alias$  (team=dev staging="Test" )    OR ( team=Pro  ))


| eval HRofstage=case(stage="SentStatus", HRStamp),

| eval ProPriority=case(team="Pro", lookupService),

sentToProHR=case(Type="sentToPro", HRLogged)


| stats earliest(sentToProHR) as sentToProHR latest(HRofstage) as HRofstage values(Duration) as Duration values(lookupService) as lookupService  dc(Identifier) as TotalDocs values(Total) as Total values(ProPriority) as Pro_Priority by Identifier


| where Pro_Priority="$tok_rate$"


| eval startTime = strptime(sentToProHR,"%Y-%m-%d %H:%M:%S.%q"), endTime=strptime(HRofstage,"%Y-%m-%d %H:%M:%S.%6N")

| where isNotNull(sentToProHR)  AND isNotNull(HRofstage)

| eval Duration = ((endTime-startTime)/60) 

| eval ServiceValue=case(lookupService="Low", 3600, lookupService="Medium", 2880,  lookupService="High", 1440)






     <title>Service Value Success Count and Percentage </title>

        <search base="basesearch"> <----(2nd query for baseserach)

          <query> search | eval ServiceValue=if(Duration&lt;=ServiceValue, "Success", "Failure")


| eval Total=case(ServiceValue="Success", Identifier)


| stats  dc(Total) as ServiceValue dc(Identifier) as Totals_Received

| eval Percentage=round((ServiceValue/Total_Received)*100)

| eval ServiceValue=tostring(ServiceValue,"commas") . " (" .Percentage."%" . ")"

| table ServiceValue





Labels (3)
0 Karma
1 Solution


Hi @MeMilo09,

about the first problem there's a comma at the end of an eval command:

| eval HRofstage=case(stage="SentStatus", HRStamp),

About the second question, you can put the token in the part of search where you need to insert, it's better in the main search so you have less results.

In addition it isn't correct to have in the secondary search 

<query> search | eval ...

you cannot have search without arguments.



View solution in original post

0 Karma


Hi @MeMilo09,

about the first problem there's a comma at the end of an eval command:

| eval HRofstage=case(stage="SentStatus", HRStamp),

About the second question, you can put the token in the part of search where you need to insert, it's better in the main search so you have less results.

In addition it isn't correct to have in the secondary search 

<query> search | eval ...

you cannot have search without arguments.



0 Karma


Hi @MeMilo09,

good for you and see next time!

Ciao and happy splunking.


P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

It’s all so meta | A Splunk Education blog about our blogs

C’mon over to the Splunk Training and Certification Community Site for the latest ways you can grow your minds ...

Index This | How can you take 2 from 5 and leave 4?

September 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

&#x1f47b; Check out the bewitching Community Office Hours, Tech Talks, and Webinars we’ve conjured up for ...