I have a dashboard displaying counts on some event types I have created.
I tried to optimize by adding a base search to my dashboard but it seems that event types are not available in the results of the base search.
Is this expected ? Any workaroud ?
In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.
r. Ismo
It doesn't sound like it is expected. Can you give examples of your data and your searches?
I have simple log data and I use event types to classify them based on their _raw content:
event type loglevel_error, search string "[ERROR] OR CRITICAL", color red
event type loglevel_warning, search string "[WARN] OR [WARNING]", color orange
The event type is added correctly when my dashboard uses inline searches, but not when i use a base search.
As a workaround I have included my event type search strings in my base search with searchmatch. However I no longer have the color coding associated with event types when I display my logs.
In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.
r. Ismo
I thought I had tried that already but indeed it does work with a | fields * at the end of the base search. I'll have a deeper look into this.
Thanks a lot
Is your dashboard under same app where you have created your eventtypes?
r. Ismo
Yes it is.
Event types are extracted correctly with inline searches, but not when using a base search.