Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for fields within base search when creating dashboard

pc1
Path Finder
‎11-01-2021 12:10 PM

My base search is trying to show the amount of GB left from servers that I have deployed the windows add-on for splunk to. (Not final - just trying to get it to work. Base search below)

source="perfmonmk:logicaldisk" earliest=-7d
| eval gb_free=Free_Megabytes/1024
| timechart span=1d max(gb_free) AS GB_Free

I want to use a chain search like "host=this_server" and "instance=C:" to target specifc servers and drives to show how much space is on each left in a chart. However, i run into many problems when trying to use chain search to narrow the base search's results down. If anyone has any ideas as to how to can search for specific fields from a base search without error it would help a lot. The specific error is "unknown search command" from the chain search

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pc1
Path Finder
‎11-17-2021 11:49 AM

Figured it out for anyone who might come across this in the future:
Set the base search to whatever you want like the one I posted above. (Probably store it as a report and run it often, and then call upon it using "| loadjob savedsearch="user:app:reportName"
Then in the chain search below, use "| search thisField="test" otherField="exampleServerName" and then from there you can | into a timechart or whatever else you might be generating the visualization with. 

Note: you must include the field names that you are going to use in the chain search - in the base search. So at the end of your base search include "| fields test, exampleServerName, etc." 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pc1
Path Finder
‎11-17-2021 11:49 AM

Figured it out for anyone who might come across this in the future:
Set the base search to whatever you want like the one I posted above. (Probably store it as a report and run it often, and then call upon it using "| loadjob savedsearch="user:app:reportName"
Then in the chain search below, use "| search thisField="test" otherField="exampleServerName" and then from there you can | into a timechart or whatever else you might be generating the visualization with. 

Note: you must include the field names that you are going to use in the chain search - in the base search. So at the end of your base search include "| fields test, exampleServerName, etc." 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-01-2021 12:24 PM
Can you add your simple xml code here as examples with you have tried?
0 Karma
Reply
Solved! Jump to solution

pc1
Path Finder
‎11-01-2021 12:36 PM

Screenshot from 2021-11-01 15-32-07.png
Here is more or less the barebones of what I have. With the parent base search being what I already posted and my chain search on top of that trying to pull specific fields from that original data. Or if I am doing this wrong altogether in the wrong part of splunk enterprise ui let me know

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...