Dashboards & Visualizations

Why doesn't my XML base search work?

Communicator

I am playing with my base search and wondering why this is not working for me. My XML is as below. Pretty simple one huh?

So base search is just index=xyz for last 60 minutes. And the data has a field called action. I want timechart on that action.
For result it just shows timechart on just action (NULL) and not all.

If I open the same search in another window, I am getting proper result. Why such behavior?

<dashboard>
  <search id="basesearch">
    <query> index=xyz
     </query>
      <earliest>-60m</earliest>
       <latest>now</latest>  
  </search>
  <row>
    <panel>
      <chart>
        <search base="basesearch">
          <query>stats count by action</query>
        </search>
      </chart>
    </panel>
  </row>
  </dashboard>

PS: If I run stats count instead of timechart then it show No Result found but the same query works well in search.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@varad_joshi, you can try to return specific fields or try | fields * in your base search and then see whether your post-process query picks it up or not. However, you should refer to Post Processing Best Practices that the base search should have a transforming command and you must not try to pass on raw events through the base search (in such cases you might be better off running separate searches instead of post processing).

Check out examples on how you should ideally perform post processing (multiple and multi-level)

   <search id="basesearch">
     <query> index=xyz | fields action
      </query>
       <earliest>-60m</earliest>
        <latest>now</latest>  
   </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@varad_joshi, you can try to return specific fields or try | fields * in your base search and then see whether your post-process query picks it up or not. However, you should refer to Post Processing Best Practices that the base search should have a transforming command and you must not try to pass on raw events through the base search (in such cases you might be better off running separate searches instead of post processing).

Check out examples on how you should ideally perform post processing (multiple and multi-level)

   <search id="basesearch">
     <query> index=xyz | fields action
      </query>
       <earliest>-60m</earliest>
        <latest>now</latest>  
   </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Communicator

Thanks Niket.
Yes I figured that later once I posted the question.

Thanks for your answer.

0 Karma

Ultra Champion

Aren't you missing the pipe at <query>stats count by action</query>?, meaning something like <query>| stats count by action</query>

SplunkTrust
SplunkTrust

@ddrillic, I don't think pipe is mandatory for post process searches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Ultra Champion

Fair enough - thank you @niketnilay.