Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any generic stats command I can add to the base search?

POR160893
Builder
‎11-21-2022 02:54 AM

Hi,

I have a dashboard with a base search a number of chain searches. My base search is very long and the chain searches are a just different stats commands. However, the dashboard does not render the results unless I place a stats command also in the base search. This where I am running into trouble as I need to find a stats command that is generic enough to go before all the unique stats command for each panel.

Example,
Base search: index = ABC .......
Chain search1: | stats count by XYZ| head 10
Chain search2: | stats count by MNO| head 10


This renders when I open the query in "Open in Search" but no results are generated for any panel on the dashboards for the same queries. The dashboard panels only render when I add a stats command at the base search like
Base search: index = ABC ....... |stats count by GHI,
However, this stats query on the base search precludes me fro adding individual stats command for each panel.

Is there any generic stats command I can add to the base search?

Thanks!

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 03:16 AM

Hi @POR160893,

check the fields in output to the base search: if you have them in a streming command ok, otherwise, you have to declare them using the fields command, in your samples XYZ, MNO, GHI.

Ciao.

Giuseppe

Reply

POR160893
Builder
‎11-21-2022 03:41 AM

I added fields at the start of my chain searches like as follows with a generic stats count by host at the end of my base search:

POR160893_0-1669030889814.png

But no results ....

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 04:51 AM

Hi @POR160893,

after  a stats command you have only the fields in the command, in your case only host and count, but not src_location, for this reason you don't find anything.

Add it to the first stats.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...