Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard - Base Search not returning results into panel

brdr
Contributor
‎04-17-2018 10:22 AM

Having trouble with base search. I'm trying to build on a base search. For now I have one panel with a base search. In the end I will have for panels using the same base search... Here is my XML. My issue the panel is not populated with the result. Where if I open the search from within the panel after saving the XML the search returns fine. What am I doing wrong. Thank you.

Source:

Dashboard - Test Base Search

<input type="time" searchWhenChanged="true" token="timeVar02">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Total Accounts</title>
  <single>
    <search base="BaseSearchC">
      <query>| stats dc(AccountId) as Total</query>
    </search>
    <option name="drilldown">none</option>
    <option name="height">87</option>
  </single>
</panel>


<query>index=a-index* sourcetype="a-srctype"</query>
      <earliest>$timeVar02.earliest$</earliest>
      <latest>$timeVar02.latest$</latest>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎04-17-2018 10:37 AM

I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

You might also want to reorder things.

Something like this:

<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
   <label></label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
<search id="BaseSearchC">  
   <query>index=a-index sourcetype="a-sourcetype"</query>
       <earliest>$timeVar02.earliest$</earliest>
       <latest>$timeVar02.latest$</latest>
</search>

<row>
 <panel>
   <title>Total Accounts</title>
   <single>
     <search base="BaseSearchC">
       <query>| stats dc(AccountId) as Total</query>
     </search>
     <option name="drilldown">none</option>
     <option name="height">87</option>
   </single>
 </panel>
 </row>

View solution in original post

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-17-2018 10:39 AM

Your base search needs to be wrapped with <search id="baseSearchC"> at the beginning and </search> at the end. Additionally, a post-processed search is only meant to be used with a base search that has a transforming command. Unless there's a lot more to this dashboard, there's no good reason to use a base search and post-process here. If there are other panels, perhaps you can share their searches, and we can help you optimize? If you really want to use a base/post-process search structure here, you'll need to reference the AccountId field in your base search, or else the post-process search won't have access to it. So you could make your base search something like this:

index=a-index* sourcetype="a-srctype"
| fields AccountId

But really, unless you have other panels that need this base search shared, you should combine the base and post-process into a single search in your panel.

Reply
Solved! Jump to solution

niketn
Legend
‎04-17-2018 11:07 AM

agree to @elliotproebstel, your base search should have statistically aggregated data which should then be passed on to other post-process searches. If you need to use raw data from base search you might be better off running same search twice rather than using post-processing. Refer to documentation for best practice: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

Also check out Examples provided in above documentation which tells recursive post processing and complex statistical data to be passed on from base search to post-process search.

Refer to one of my recent answers to use Post Processing to show plot Timechart and Pie Chart: https://answers.splunk.com/answers/637178/how-to-generate-a-pie-chart.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-17-2018 10:39 AM

I can see two issues
1) I don't see the base search being assigned id="BaseSearchC". Is that a copy-paste error here?
2) The base search should've some sort of reporting command (aggregation commands like stats,timechart,chart are preferred, at minimum, so table or fields command).

0 Karma
Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎04-17-2018 10:37 AM

I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

You might also want to reorder things.

Something like this:

<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
   <label></label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
<search id="BaseSearchC">  
   <query>index=a-index sourcetype="a-sourcetype"</query>
       <earliest>$timeVar02.earliest$</earliest>
       <latest>$timeVar02.latest$</latest>
</search>

<row>
 <panel>
   <title>Total Accounts</title>
   <single>
     <search base="BaseSearchC">
       <query>| stats dc(AccountId) as Total</query>
     </search>
     <option name="drilldown">none</option>
     <option name="height">87</option>
   </single>
 </panel>
 </row>
Reply
Solved! Jump to solution

brdr
Contributor
‎04-17-2018 11:05 AM

It was not having a transforming command that slipped me up. thanks folks for the help.

0 Karma
Reply
Solved! Jump to solution

jodyfsu
Path Finder
‎04-17-2018 10:30 AM

Hey brdr, I think the issue may be that you have the base search in a panel. I think it need to be outside the panel:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Buildandeditforms

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎04-17-2018 10:29 AM

is the index=a-index* sourcetype="a-srctype" your base search?

0 Karma
Reply
Solved! Jump to solution

brdr
Contributor
‎04-17-2018 10:33 AM

yes. that is my base search. I think the xml got cut up. reposting it.

Dashboard -Test Base Search

<input type="time" searchWhenChanged="true" token="timeVar02">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Total Accounts</title>
  <single>
    <search base="BaseSearchC">
      <query>| stats dc(AccountId) as Total</query>
    </search>
    <option name="drilldown">none</option>
    <option name="height">87</option>
  </single>
</panel>


<query>index=a-index sourcetype="a-sourcetype"</query>
      <earliest>$timeVar02.earliest$</earliest>
      <latest>$timeVar02.latest$</latest>
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...