Dashboards & Visualizations

Why won't data passing from global search to child search not displaying data on dashboard?

AKG1_old1
Builder

Hello,

In my dashboard, I am using one global search and multiple sub search queries(which use global search query data).

Issue is data is not getting displayed on dashboard, but when i click on search button its append sub search to global search and displaying results. Now sure why its not getting displayed on dashboard.

Global Search

  <search id="globalSearch">
    <query>eventtype=mlc_live host=$host_token$ sourcetype=tool_lifecycle </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
  </search>

Sub Search

<search base="globalSearch">
  <query> | eval ScriptName2=ScriptName |  rex field="ScriptName" "^\S+_(?&lt;ScriptName&gt;[^\.]+)\.\S+" | rex field="ScriptName2" "^\S+\.sh\s*(?&lt;Instance&gt;\S+)" | rex field="ActivityType" "^#(?&lt;ActivityType&gt;[^\.]+);" | eval ActivityType=if(isNOTNULL(ActivityType),ActivityType,"NA") | search ScriptName IN (*$script_name_token$*) AND ActivityType = "*$activity_type_token$*" AND Status = "*$status_token$*"  | table _time ScriptName Instance StartDate StartTime EndDate EndTime Duration UniqueIdentifier Status ActivityType | sort 0 _time desc | dedup UniqueIdentifier</query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
</search>

alt text

Labels (1)
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI,

I'm just putting extraction into base search. Can you please try if It is not affecting your business logic ??

<search id="globalSearch">
     <query>eventtype=mlc_live host=$host_token$ sourcetype=tool_lifecycle | eval ScriptName2=ScriptName |  rex field="ScriptName" "^\S+_(?&lt;ScriptName&gt;[^\.]+)\.\S+" | rex field="ScriptName2" "^\S+\.sh\s*(?&lt;Instance&gt;\S+)" | rex field="ActivityType" "^#(?&lt;ActivityType&gt;[^\.]+);" | table  _time ScriptName Instance StartDate StartTime EndDate EndTime Duration UniqueIdentifier Status ActivityType </query>
     <earliest>$time_token.earliest$</earliest>
     <latest>$time_token.latest$</latest>
   </search>



   <search base="globalSearch">
   <query>eval ActivityType=if(isNOTNULL(ActivityType),ActivityType,"NA") | search ScriptName IN (*$script_name_token$*) AND ActivityType = "*$activity_type_token$*" AND Status = "*$status_token$*"  | table _time ScriptName Instance StartDate StartTime EndDate EndTime Duration UniqueIdentifier Status ActivityType | sort 0 _time desc | dedup UniqueIdentifier</query>
 </search>

Please correct my syntax if any typo.

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI,

I'm just putting extraction into base search. Can you please try if It is not affecting your business logic ??

<search id="globalSearch">
     <query>eventtype=mlc_live host=$host_token$ sourcetype=tool_lifecycle | eval ScriptName2=ScriptName |  rex field="ScriptName" "^\S+_(?&lt;ScriptName&gt;[^\.]+)\.\S+" | rex field="ScriptName2" "^\S+\.sh\s*(?&lt;Instance&gt;\S+)" | rex field="ActivityType" "^#(?&lt;ActivityType&gt;[^\.]+);" | table  _time ScriptName Instance StartDate StartTime EndDate EndTime Duration UniqueIdentifier Status ActivityType </query>
     <earliest>$time_token.earliest$</earliest>
     <latest>$time_token.latest$</latest>
   </search>



   <search base="globalSearch">
   <query>eval ActivityType=if(isNOTNULL(ActivityType),ActivityType,"NA") | search ScriptName IN (*$script_name_token$*) AND ActivityType = "*$activity_type_token$*" AND Status = "*$status_token$*"  | table _time ScriptName Instance StartDate StartTime EndDate EndTime Duration UniqueIdentifier Status ActivityType | sort 0 _time desc | dedup UniqueIdentifier</query>
 </search>

Please correct my syntax if any typo.

Thanks

AKG1_old1
Builder

Great !! Thanks. Can you pls mark it as Answer.

kamlesh_vaghela
SplunkTrust
SplunkTrust

shifted to Answer.

rjthibod
Champion

You are not following many of the best practices for base/global searches and post-processing.

  1. Passing raw events to a post-processing search, i.e., not transforming the data in the base search
  2. Didn't indicate the base search what fields are needed in post-processing
  3. Not limiting the search results in any way

See here: http://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/Savedsearches#Post-process_searches_2

You need to rethink your use case and strip down the base searches to use more suitable usage.

AKG1_old1
Builder

Thank you for clearing concept about base/global search. It helped 🙂

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI

There is no need to put earliest & latest in sub search. Can you please then?

Does your sub search panel shows No rec Found Or Waiting for input??

Thanks

0 Karma

AKG1_old1
Builder

Thanks for reply. I tried by removing earliest and latest time but its not working. Its showing "No Results Found"

0 Karma

sabeeshvk
Observer

I added a table command with the required fields and that resolved it. 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...