Dashboards & Visualizations

event types not available in base search

VincentC
Explorer

I have a dashboard displaying counts on some event types I have created.

I tried to optimize by adding a base search to my dashboard but it seems that event types are not available in the results of the base search.

Is this expected ? Any workaroud ?

Labels (1)
0 Karma
1 Solution

soutamo
SplunkTrust
SplunkTrust

In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.

r. Ismo

View solution in original post

ITWhisperer
Legend

It doesn't sound like it is expected. Can you give examples of your data and your searches?

0 Karma

VincentC
Explorer

I have simple log data and I use event types to classify them based on their _raw content:

event type loglevel_error, search string "[ERROR] OR CRITICAL", color red

event type loglevel_warning, search string "[WARN] OR [WARNING]", color orange

The event type is added correctly when my dashboard uses inline searches, but not when i use a base search.

 

As a workaround I have included my event type search strings in my base search with searchmatch. However I no longer have the color coding associated with event types when I display my logs. 

0 Karma

soutamo
SplunkTrust
SplunkTrust

In base search there are some restrictions and tricks which you should know. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/Savedsearches You probably have already read this? There is a mention that you should use transforming searches on base search (e.g. stats etc). If not then there are some limitations how many events etc. it can returns. One additional is, what fields it return? Basically it returns only those which you are mentioned in it! In your case you probably didn’t mention all those fields in your event type. Easiest (but not optimal) way to fix this is add “| fields *” to the end of your base search. After that those event types should works on your dashboards.

r. Ismo

View solution in original post

VincentC
Explorer

I thought I had tried that already but indeed it does work with a | fields * at the end of the base search. I'll have a deeper look into this.

Thanks a lot

0 Karma

soutamo
SplunkTrust
SplunkTrust

Is your dashboard under same app where you have created your eventtypes?

r. Ismo

0 Karma

VincentC
Explorer

Yes it is.

Event types are extracted correctly with inline searches, but not when using a base search.

Tags (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.