Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

event types not available in base search

VincentC
Explorer
‎09-05-2020 01:33 AM

I have a dashboard displaying counts on some event types I have created.

I tried to optimize by adding a base search to my dashboard but it seems that event types are not available in the results of the base search.

Is this expected ? Any workaroud ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-05-2020 03:57 AM

In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2020 01:51 AM

It doesn't sound like it is expected. Can you give examples of your data and your searches?

0 Karma
Reply
Solved! Jump to solution

VincentC
Explorer
‎09-05-2020 03:47 AM

I have simple log data and I use event types to classify them based on their _raw content:

event type loglevel_error, search string "[ERROR] OR CRITICAL", color red

event type loglevel_warning, search string "[WARN] OR [WARNING]", color orange

The event type is added correctly when my dashboard uses inline searches, but not when i use a base search.

 

As a workaround I have included my event type search strings in my base search with searchmatch. However I no longer have the color coding associated with event types when I display my logs. 

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-05-2020 03:57 AM

In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.

r. Ismo

Reply
Solved! Jump to solution

VincentC
Explorer
‎09-05-2020 04:12 AM

I thought I had tried that already but indeed it does work with a | fields * at the end of the base search. I'll have a deeper look into this.

Thanks a lot

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-05-2020 03:39 AM

Is your dashboard under same app where you have created your eventtypes?

r. Ismo

0 Karma
Reply
Solved! Jump to solution

VincentC
Explorer
‎09-05-2020 03:50 AM

Yes it is.

Event types are extracted correctly with inline searches, but not when using a base search.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...