Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any generic stats command I can add to the base search?

POR160893
Builder
‎11-21-2022 02:54 AM

Hi,

I have a dashboard with a base search a number of chain searches. My base search is very long and the chain searches are a just different stats commands. However, the dashboard does not render the results unless I place a stats command also in the base search. This where I am running into trouble as I need to find a stats command that is generic enough to go before all the unique stats command for each panel.

Example,
Base search: index = ABC .......
Chain search1: | stats count by XYZ| head 10
Chain search2: | stats count by MNO| head 10


This renders when I open the query in "Open in Search" but no results are generated for any panel on the dashboards for the same queries. The dashboard panels only render when I add a stats command at the base search like
Base search: index = ABC ....... |stats count by GHI,
However, this stats query on the base search precludes me fro adding individual stats command for each panel.

Is there any generic stats command I can add to the base search?

Thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 03:16 AM

Hi @POR160893,

check the fields in output to the base search: if you have them in a streming command ok, otherwise, you have to declare them using the fields command, in your samples XYZ, MNO, GHI.

Ciao.

Giuseppe

Reply

POR160893
Builder
‎11-21-2022 03:41 AM

I added fields at the start of my chain searches like as follows with a generic stats count by host at the end of my base search:

POR160893_0-1669030889814.png

But no results ....

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 04:51 AM

Hi @POR160893,

after  a stats command you have only the fields in the command, in your case only host and count, but not src_location, for this reason you don't find anything.

Add it to the first stats.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...