Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any generic stats command I can add to the base search?

POR160893
Builder
‎11-21-2022 02:54 AM

Hi,

I have a dashboard with a base search a number of chain searches. My base search is very long and the chain searches are a just different stats commands. However, the dashboard does not render the results unless I place a stats command also in the base search. This where I am running into trouble as I need to find a stats command that is generic enough to go before all the unique stats command for each panel.

Example,
Base search: index = ABC .......
Chain search1: | stats count by XYZ| head 10
Chain search2: | stats count by MNO| head 10


This renders when I open the query in "Open in Search" but no results are generated for any panel on the dashboards for the same queries. The dashboard panels only render when I add a stats command at the base search like
Base search: index = ABC ....... |stats count by GHI,
However, this stats query on the base search precludes me fro adding individual stats command for each panel.

Is there any generic stats command I can add to the base search?

Thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 03:16 AM

Hi @POR160893,

check the fields in output to the base search: if you have them in a streming command ok, otherwise, you have to declare them using the fields command, in your samples XYZ, MNO, GHI.

Ciao.

Giuseppe

Reply

POR160893
Builder
‎11-21-2022 03:41 AM

I added fields at the start of my chain searches like as follows with a generic stats count by host at the end of my base search:

POR160893_0-1669030889814.png

But no results ....

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 04:51 AM

Hi @POR160893,

after  a stats command you have only the fields in the command, in your case only host and count, but not src_location, for this reason you don't find anything.

Add it to the first stats.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...