Dashboards & Visualizations

Dashboard - Base Search not returning results into panel

Contributor

Having trouble with base search. I'm trying to build on a base search. For now I have one panel with a base search. In the end I will have for panels using the same base search... Here is my XML. My issue the panel is not populated with the result. Where if I open the search from within the panel after saving the XML the search returns fine. What am I doing wrong. Thank you.

Source:

Dashboard - Test Base Search

<input type="time" searchWhenChanged="true" token="timeVar02">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Total Accounts</title>
  <single>
    <search base="BaseSearchC">
      <query>| stats dc(AccountId) as Total</query>
    </search>
    <option name="drilldown">none</option>
    <option name="height">87</option>
  </single>
</panel>


<query>index=a-index* sourcetype="a-srctype"</query>
      <earliest>$timeVar02.earliest$</earliest>
      <latest>$timeVar02.latest$</latest>
0 Karma
1 Solution

Motivator

I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

You might also want to reorder things.

Something like this:

<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
   <label></label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
<search id="BaseSearchC">  
   <query>index=a-index sourcetype="a-sourcetype"</query>
       <earliest>$timeVar02.earliest$</earliest>
       <latest>$timeVar02.latest$</latest>
</search>

<row>
 <panel>
   <title>Total Accounts</title>
   <single>
     <search base="BaseSearchC">
       <query>| stats dc(AccountId) as Total</query>
     </search>
     <option name="drilldown">none</option>
     <option name="height">87</option>
   </single>
 </panel>
 </row>

View solution in original post

Your base search needs to be wrapped with <search id="baseSearchC"> at the beginning and </search> at the end. Additionally, a post-processed search is only meant to be used with a base search that has a transforming command. Unless there's a lot more to this dashboard, there's no good reason to use a base search and post-process here. If there are other panels, perhaps you can share their searches, and we can help you optimize? If you really want to use a base/post-process search structure here, you'll need to reference the AccountId field in your base search, or else the post-process search won't have access to it. So you could make your base search something like this:

index=a-index* sourcetype="a-srctype"
| fields AccountId

But really, unless you have other panels that need this base search shared, you should combine the base and post-process into a single search in your panel.

Legend

agree to @elliotproebstel, your base search should have statistically aggregated data which should then be passed on to other post-process searches. If you need to use raw data from base search you might be better off running same search twice rather than using post-processing. Refer to documentation for best practice: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

Also check out Examples provided in above documentation which tells recursive post processing and complex statistical data to be passed on from base search to post-process search.

Refer to one of my recent answers to use Post Processing to show plot Timechart and Pie Chart: https://answers.splunk.com/answers/637178/how-to-generate-a-pie-chart.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Revered Legend

I can see two issues
1) I don't see the base search being assigned id="BaseSearchC". Is that a copy-paste error here?
2) The base search should've some sort of reporting command (aggregation commands like stats,timechart,chart are preferred, at minimum, so table or fields command).

0 Karma

Motivator

I think your main issue is that your base search needs to be a transforming search
see this documentation: http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

You might also want to reorder things.

Something like this:

<form>
<input type="time" searchWhenChanged="true" token="timeVar02">
   <label></label>
   <default>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </default>
 </input>
<search id="BaseSearchC">  
   <query>index=a-index sourcetype="a-sourcetype"</query>
       <earliest>$timeVar02.earliest$</earliest>
       <latest>$timeVar02.latest$</latest>
</search>

<row>
 <panel>
   <title>Total Accounts</title>
   <single>
     <search base="BaseSearchC">
       <query>| stats dc(AccountId) as Total</query>
     </search>
     <option name="drilldown">none</option>
     <option name="height">87</option>
   </single>
 </panel>
 </row>

View solution in original post

Contributor

It was not having a transforming command that slipped me up. thanks folks for the help.

0 Karma

Path Finder

Hey brdr, I think the issue may be that you have the base search in a panel. I think it need to be outside the panel:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Buildandeditforms

0 Karma

Motivator

is the index=a-index* sourcetype="a-srctype" your base search?

0 Karma

Contributor

yes. that is my base search. I think the xml got cut up. reposting it.

Dashboard -Test Base Search

<input type="time" searchWhenChanged="true" token="timeVar02">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Total Accounts</title>
  <single>
    <search base="BaseSearchC">
      <query>| stats dc(AccountId) as Total</query>
    </search>
    <option name="drilldown">none</option>
    <option name="height">87</option>
  </single>
</panel>


<query>index=a-index sourcetype="a-sourcetype"</query>
      <earliest>$timeVar02.earliest$</earliest>
      <latest>$timeVar02.latest$</latest>
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!