Dashboards & Visualizations

Dashboard - Base Search not returning results into panel

brdr
Contributor

Having trouble with base search. I'm trying to build on a base search. For now I have one panel with a base search. In the end I will have for panels using the same base search... Here is my XML. My issue the panel is not populated with the result. Where if I open the search from within the panel after saving the XML the search returns fine. What am I doing wrong. Thank you.

Source:

Dashboard - Test Base Search

<input type="time" searchWhenChanged="true" token="timeVar02">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Total Accounts</title>
  <single>
    <search base="BaseSearchC">
      <query>| stats dc(AccountId) as Total</query>
    </search>
    <option name="drilldown">none</option>
    <option name="height">87</option>
  </single>
</panel>


<query>index=a-index* sourcetype="a-srctype"</query>
      <earliest>$timeVar02.earliest$</earliest>
      <latest>$timeVar02.latest$</latest>
0 Karma
1 Solution

kmaron
Motivator

I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

You might also want to reorder things.

Something like this:

<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
   <label></label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
<search id="BaseSearchC">  
   <query>index=a-index sourcetype="a-sourcetype"</query>
       <earliest>$timeVar02.earliest$</earliest>
       <latest>$timeVar02.latest$</latest>
</search>

<row>
 <panel>
   <title>Total Accounts</title>
   <single>
     <search base="BaseSearchC">
       <query>| stats dc(AccountId) as Total</query>
     </search>
     <option name="drilldown">none</option>
     <option name="height">87</option>
   </single>
 </panel>
 </row>

View solution in original post

elliotproebstel
Champion

Your base search needs to be wrapped with <search id="baseSearchC"> at the beginning and </search> at the end. Additionally, a post-processed search is only meant to be used with a base search that has a transforming command. Unless there's a lot more to this dashboard, there's no good reason to use a base search and post-process here. If there are other panels, perhaps you can share their searches, and we can help you optimize? If you really want to use a base/post-process search structure here, you'll need to reference the AccountId field in your base search, or else the post-process search won't have access to it. So you could make your base search something like this:

index=a-index* sourcetype="a-srctype"
| fields AccountId

But really, unless you have other panels that need this base search shared, you should combine the base and post-process into a single search in your panel.

niketn
Legend

agree to @elliotproebstel, your base search should have statistically aggregated data which should then be passed on to other post-process searches. If you need to use raw data from base search you might be better off running same search twice rather than using post-processing. Refer to documentation for best practice: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

Also check out Examples provided in above documentation which tells recursive post processing and complex statistical data to be passed on from base search to post-process search.

Refer to one of my recent answers to use Post Processing to show plot Timechart and Pie Chart: https://answers.splunk.com/answers/637178/how-to-generate-a-pie-chart.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
Revered Legend

I can see two issues
1) I don't see the base search being assigned id="BaseSearchC". Is that a copy-paste error here?
2) The base search should've some sort of reporting command (aggregation commands like stats,timechart,chart are preferred, at minimum, so table or fields command).

0 Karma

kmaron
Motivator

I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

You might also want to reorder things.

Something like this:

<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
   <label></label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
<search id="BaseSearchC">  
   <query>index=a-index sourcetype="a-sourcetype"</query>
       <earliest>$timeVar02.earliest$</earliest>
       <latest>$timeVar02.latest$</latest>
</search>

<row>
 <panel>
   <title>Total Accounts</title>
   <single>
     <search base="BaseSearchC">
       <query>| stats dc(AccountId) as Total</query>
     </search>
     <option name="drilldown">none</option>
     <option name="height">87</option>
   </single>
 </panel>
 </row>

brdr
Contributor

It was not having a transforming command that slipped me up. thanks folks for the help.

0 Karma

jodyfsu
Path Finder

Hey brdr, I think the issue may be that you have the base search in a panel. I think it need to be outside the panel:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Buildandeditforms

0 Karma

kmaron
Motivator

is the index=a-index* sourcetype="a-srctype" your base search?

0 Karma

brdr
Contributor

yes. that is my base search. I think the xml got cut up. reposting it.

Dashboard -Test Base Search

<input type="time" searchWhenChanged="true" token="timeVar02">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Total Accounts</title>
  <single>
    <search base="BaseSearchC">
      <query>| stats dc(AccountId) as Total</query>
    </search>
    <option name="drilldown">none</option>
    <option name="height">87</option>
  </single>
</panel>


<query>index=a-index sourcetype="a-sourcetype"</query>
      <earliest>$timeVar02.earliest$</earliest>
      <latest>$timeVar02.latest$</latest>
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...