As the title suggests, I'm having issues with a base search that I'm trying to create. The base search uses tokens to pull info from a data model and the actual search uses stats to get a count of vendor products. The issue that I'm having is that the search runs normally without the base search, but when it is split up using the base search there is information missing. Clicking on the magnifying glass (in the table with the missing info) opens a new search that reconnects the searches comes up with the correct info. I'm baffled as to why this is happening. I've done research about this issue and all that I've found is this question - https://answers.splunk.com/answers/608175/splunk-dashboard-base-search-gives-result-which-is.html
As far as I know it shouldn't be an issue with limits.conf because the search is returning less than 50 results.
<search id="baseSearch1"> <query> $control_token_visualizations$ |from datamodel:"Malware.Malware_Attacks" |search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json </query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search>
<panel> <title>Top Destinations</title> <table> <search base="baseSearch1"> <query> |stats values(vendor_product) count by dest |rename values(vendor_product) AS "Vendor Product" |sort - count </query> </search> <option name="count">15</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel>
If you are using base searches, you must return the fields required by all the panels on base search. If you do not return the fields on base search, then the panels will not work as expected. In you situation change your base search return fields, then your problem should be resolved. Please let me know if this doesn't work.
<search id="baseSearch1"> <query> $control_token_visualizations$ |from datamodel:"Malware.Malware_Attacks" |search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json |fields vendor_product,dest </query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search>
If you want to know how to use base searches with a quick example, you can also refer to the below video.
I made the change but I'm still not seeing the correct data. I opened the view in a search and the correct data showed up when it was in Fast Mode. I changed it to Verbose Mode and the results were what I was seeing on the view.
Is there any way that I can make the view run in Fast Mode? I've read that it does run in Fast as default, but this one obviously isn't working correctly.