Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come the following code for a post process search in a dashboard is not returning results?

Carolina
Engager
‎11-19-2018 06:38 PM

Hi,

I have the following code for post process search but it does not show me results.

<dashboard>
  <label>id_base</label>
      <search id="base1">
    <query> index=_internal source="*" sourcetype=splunkd_access</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>

</search>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search base="base1">
          <query> stats count by method</query>

        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</dashboard>

Could you help me?, please.

Regards.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎11-19-2018 07:29 PM

Line 22 needs a pipe proceeding the search like this.. Best way to troubleshoot this is to click the search icon and open the search in a new window to see the query strung together 

<dashboard>
   <label>id_base</label>
       <search id="base1">
     <query> index=_internal source="*" sourcetype=splunkd_access</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>

 </search>
   <fieldset submitButton="false">
     <input type="time" token="field1">
       <label></label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <search base="base1">
           <query>| stats count by method</query>

         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.drilldown">none</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-19-2018 09:37 PM

@Carolina
As a performance point of view, I would suggest you mention field names in base search, It will solve your this issue also.

<search id="base1">
     <query> index=_internal source="*" sourcetype=splunkd_access | fields method </query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>
 </search>
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-20-2018 06:53 AM

It would not solve the problem since OP does not have a pipe in his post process search. It's also best practice to use a reporting command in the base search

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎11-19-2018 07:29 PM

Line 22 needs a pipe proceeding the search like this.. Best way to troubleshoot this is to click the search icon and open the search in a new window to see the query strung together 

<dashboard>
   <label>id_base</label>
       <search id="base1">
     <query> index=_internal source="*" sourcetype=splunkd_access</query>
           <earliest>$field1.earliest$</earliest>
           <latest>$field1.latest$</latest>

 </search>
   <fieldset submitButton="false">
     <input type="time" token="field1">
       <label></label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <search base="base1">
           <query>| stats count by method</query>

         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.drilldown">none</option>
         <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-29-2018 06:48 AM

@Carolina did this solve your issue? Can you accept the answer to close it out?

0 Karma
Reply
Solved! Jump to solution

akemko
New Member
‎11-19-2018 07:00 PM 
<query>|stats count by method</query>
0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out &gt;&gt; &#x1f3c6; Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...