Having trouble with base search. I'm trying to build on a base search. For now I have one panel with a base search. In the end I will have for panels using the same base search... Here is my XML. My issue the panel is not populated with the result. Where if I open the search from within the panel after saving the XML the search returns fine. What am I doing wrong. Thank you.
Source:
Dashboard - Test Base Search
<input type="time" searchWhenChanged="true" token="timeVar02">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<title>Total Accounts</title>
<single>
<search base="BaseSearchC">
<query>| stats dc(AccountId) as Total</query>
</search>
<option name="drilldown">none</option>
<option name="height">87</option>
</single>
</panel>
<query>index=a-index* sourcetype="a-srctype"</query>
<earliest>$timeVar02.earliest$</earliest>
<latest>$timeVar02.latest$</latest>
I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches
You might also want to reorder things.
Something like this:
<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<search id="BaseSearchC">
<query>index=a-index sourcetype="a-sourcetype"</query>
<earliest>$timeVar02.earliest$</earliest>
<latest>$timeVar02.latest$</latest>
</search>
<row>
<panel>
<title>Total Accounts</title>
<single>
<search base="BaseSearchC">
<query>| stats dc(AccountId) as Total</query>
</search>
<option name="drilldown">none</option>
<option name="height">87</option>
</single>
</panel>
</row>
Your base search needs to be wrapped with <search id="baseSearchC">
at the beginning and </search>
at the end. Additionally, a post-processed search is only meant to be used with a base search that has a transforming command. Unless there's a lot more to this dashboard, there's no good reason to use a base search and post-process here. If there are other panels, perhaps you can share their searches, and we can help you optimize? If you really want to use a base/post-process search structure here, you'll need to reference the AccountId
field in your base search, or else the post-process search won't have access to it. So you could make your base search something like this:
index=a-index* sourcetype="a-srctype"
| fields AccountId
But really, unless you have other panels that need this base search shared, you should combine the base and post-process into a single search in your panel.
agree to @elliotproebstel, your base search should have statistically aggregated data which should then be passed on to other post-process searches. If you need to use raw data from base search you might be better off running same search twice rather than using post-processing. Refer to documentation for best practice: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices
Also check out Examples provided in above documentation which tells recursive post processing and complex statistical data to be passed on from base search to post-process search.
Refer to one of my recent answers to use Post Processing to show plot Timechart and Pie Chart: https://answers.splunk.com/answers/637178/how-to-generate-a-pie-chart.html
I can see two issues
1) I don't see the base search being assigned id="BaseSearchC". Is that a copy-paste error here?
2) The base search should've some sort of reporting command (aggregation commands like stats,timechart,chart are preferred, at minimum, so table or fields command).
I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches
You might also want to reorder things.
Something like this:
<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<search id="BaseSearchC">
<query>index=a-index sourcetype="a-sourcetype"</query>
<earliest>$timeVar02.earliest$</earliest>
<latest>$timeVar02.latest$</latest>
</search>
<row>
<panel>
<title>Total Accounts</title>
<single>
<search base="BaseSearchC">
<query>| stats dc(AccountId) as Total</query>
</search>
<option name="drilldown">none</option>
<option name="height">87</option>
</single>
</panel>
</row>
It was not having a transforming command that slipped me up. thanks folks for the help.
Hey brdr, I think the issue may be that you have the base search in a panel. I think it need to be outside the panel:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Buildandeditforms
is the index=a-index* sourcetype="a-srctype"
your base search?
yes. that is my base search. I think the xml got cut up. reposting it.
Dashboard -Test Base Search
<input type="time" searchWhenChanged="true" token="timeVar02">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<title>Total Accounts</title>
<single>
<search base="BaseSearchC">
<query>| stats dc(AccountId) as Total</query>
</search>
<option name="drilldown">none</option>
<option name="height">87</option>
</single>
</panel>
<query>index=a-index sourcetype="a-sourcetype"</query>
<earliest>$timeVar02.earliest$</earliest>
<latest>$timeVar02.latest$</latest>