Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any generic stats command I can add to the base search?

POR160893
Builder
‎11-21-2022 02:54 AM

Hi,

I have a dashboard with a base search a number of chain searches. My base search is very long and the chain searches are a just different stats commands. However, the dashboard does not render the results unless I place a stats command also in the base search. This where I am running into trouble as I need to find a stats command that is generic enough to go before all the unique stats command for each panel.

Example,
Base search: index = ABC .......
Chain search1: | stats count by XYZ| head 10
Chain search2: | stats count by MNO| head 10


This renders when I open the query in "Open in Search" but no results are generated for any panel on the dashboards for the same queries. The dashboard panels only render when I add a stats command at the base search like
Base search: index = ABC ....... |stats count by GHI,
However, this stats query on the base search precludes me fro adding individual stats command for each panel.

Is there any generic stats command I can add to the base search?

Thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 03:16 AM

Hi @POR160893,

check the fields in output to the base search: if you have them in a streming command ok, otherwise, you have to declare them using the fields command, in your samples XYZ, MNO, GHI.

Ciao.

Giuseppe

Reply

POR160893
Builder
‎11-21-2022 03:41 AM

I added fields at the start of my chain searches like as follows with a generic stats count by host at the end of my base search:

POR160893_0-1669030889814.png

But no results ....

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 04:51 AM

Hi @POR160893,

after  a stats command you have only the fields in the command, in your case only host and count, but not src_location, for this reason you don't find anything.

Add it to the first stats.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...