Solved: Base search not returning results

b17gunnr · ‎03-21-2025

Hello folks,

I trying to use a base search within a dashboard but it consistently returns no results. However, when I click Open in Search the results appear as expected. Any of you fine people have any suggestions?

<dashboard version="1.1" theme="dark">
  <search id="recycle">
    <query> index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted) </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <title>Abnormal File Deletion and Recycle Patterns</title>
      <table>
        <search base="recycle">
          <query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" &gt; 50 | sort - "Object Deletions" </query>
        </search>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
</dashboard>

catdadof3 · ‎03-21-2025

I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.

  <search id="recycle">
    <query> 
 index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted)
| fields UserId Whateverotherfields
    </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

View solution in original post

PickleRick · ‎03-21-2025

Generally, the base search should be a transforming search and it shouldn't be too big. But if it's a normal event search, you should explicitly list fields you'll be using later (as @catdadof3 pointed out - with fields or table command).

catdadof3 · ‎03-21-2025

I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.

  <search id="recycle">
    <query> 
 index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted)
| fields UserId Whateverotherfields
    </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

b17gunnr · ‎03-21-2025

Making this adjustment was just what I needed. I noticed that as I started playing with fields I could change the results, but I was focusing on the secondary query as opposed to the base query. Thank you all for the help and advice.

marnall · ‎03-21-2025

I copied your dashboard into my test instance and modified the base search to find events, and it worked.

As a test, could you try saving your full search as a dashboard panel for a new dashboard, then editing the source of that new dashboard to move the first half of the search into a base query?

b17gunnr · ‎03-21-2025

Hello,

That's actually where I started this. I took a functioning panel with the full query and then ripped out the primary section for the base search. I also tried creating a new dashboard from scratch and get the same empty results. The only thing I can do to so something displays is to comment out all of

<query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" > 50 | sort - "Object Deletions" </query>

If I leave any part of that code in, it fails.

marnall · ‎03-21-2025

Does it work if you use any other command in the query? E.g. just "| stats count"

Also what version of Splunk are you using, out of curiosity?

Base search not returning results

other

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?