- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Base Search returning different results than norma...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Base Search returning different results than normal search
As the title suggests, I'm having issues with a base search that I'm trying to create. The base search uses tokens to pull info from a data model and the actual search uses stats to get a count of vendor products. The issue that I'm having is that the search runs normally without the base search, but when it is split up using the base search there is information missing. Clicking on the magnifying glass (in the table with the missing info) opens a new search that reconnects the searches comes up with the correct info. I'm baffled as to why this is happening. I've done research about this issue and all that I've found is this question - https://answers.splunk.com/answers/608175/splunk-dashboard-base-search-gives-result-which-is.html
As far as I know it shouldn't be an issue with limits.conf because the search is returning less than 50 results.
Base Search:
<search id="baseSearch1">
<query>
$control_token_visualizations$
|from datamodel:"Malware.Malware_Attacks"
|search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json
</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
Continued search:
<panel>
<title>Top Destinations</title>
<table>
<search base="baseSearch1">
<query>
|stats values(vendor_product) count by dest
|rename values(vendor_product) AS "Vendor Product"
|sort - count
</query>
</search>
<option name="count">15</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using base searches, you must return the fields required by all the panels on base search. If you do not return the fields on base search, then the panels will not work as expected. In you situation change your base search return fields, then your problem should be resolved. Please let me know if this doesn't work.
<search id="baseSearch1">
<query>
$control_token_visualizations$
|from datamodel:"Malware.Malware_Attacks"
|search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json
|fields vendor_product,dest
</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
If you want to know how to use base searches with a quick example, you can also refer to the below video.
https://www.youtube.com/watch?v=6s3jV6Tx6yg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made the change but I'm still not seeing the correct data. I opened the view in a search and the correct data showed up when it was in Fast Mode. I changed it to Verbose Mode and the results were what I was seeing on the view.
Is there any way that I can make the view run in Fast Mode? I've read that it does run in Fast as default, but this one obviously isn't working correctly.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
