Dashboards & Visualizations

Is there any generic stats command I can add to the base search?

POR160893
Builder

Hi,

I have a dashboard with a base search a number of chain searches. My base search is very long and the chain searches are a just different stats commands. However, the dashboard does not render the results unless I place a stats command also in the base search. This where I am running into trouble as I need to find a stats command that is generic enough to go before all the unique stats command for each panel.

Example,
Base search: index = ABC .......
Chain search1: | stats count by XYZ| head 10
Chain search2: | stats count by MNO| head 10


This renders when I open the query in "Open in Search" but no results are generated for any panel on the dashboards for the same queries. The dashboard panels only render when I add a stats command at the base search like
Base search: index = ABC ....... |stats count by GHI,
However, this stats query on the base search precludes me fro adding individual stats command for each panel.

Is there any generic stats command I can add to the base search?

Thanks!

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @POR160893,

check the fields in output to the base search: if you have them in a streming command ok, otherwise, you have to declare them using the fields command, in your samples XYZ, MNO, GHI.

Ciao.

Giuseppe

POR160893
Builder

I added fields at the start of my chain searches like as follows with a generic stats count by host at the end of my base search:

POR160893_0-1669030889814.png

But no results ....

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @POR160893,

after  a stats command you have only the fields in the command, in your case only host and count, but not src_location, for this reason you don't find anything.

Add it to the first stats.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...