Dashboards & Visualizations

event types not available in base search

VincentC
Explorer

I have a dashboard displaying counts on some event types I have created.

I tried to optimize by adding a base search to my dashboard but it seems that event types are not available in the results of the base search.

Is this expected ? Any workaroud ?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.

r. Ismo

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

It doesn't sound like it is expected. Can you give examples of your data and your searches?

0 Karma

VincentC
Explorer

I have simple log data and I use event types to classify them based on their _raw content:

event type loglevel_error, search string "[ERROR] OR CRITICAL", color red

event type loglevel_warning, search string "[WARN] OR [WARNING]", color orange

The event type is added correctly when my dashboard uses inline searches, but not when i use a base search.

 

As a workaround I have included my event type search strings in my base search with searchmatch. However I no longer have the color coding associated with event types when I display my logs. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.

r. Ismo

VincentC
Explorer

I thought I had tried that already but indeed it does work with a | fields * at the end of the base search. I'll have a deeper look into this.

Thanks a lot

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Is your dashboard under same app where you have created your eventtypes?

r. Ismo

0 Karma

VincentC
Explorer

Yes it is.

Event types are extracted correctly with inline searches, but not when using a base search.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...