Solved: Base search not returning results

b17gunnr · ‎03-21-2025

Hello folks,

I trying to use a base search within a dashboard but it consistently returns no results. However, when I click Open in Search the results appear as expected. Any of you fine people have any suggestions?

<dashboard version="1.1" theme="dark">
  <search id="recycle">
    <query> index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted) </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <title>Abnormal File Deletion and Recycle Patterns</title>
      <table>
        <search base="recycle">
          <query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" &gt; 50 | sort - "Object Deletions" </query>
        </search>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
</dashboard>

catdadof3 · ‎03-21-2025

I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.

  <search id="recycle">
    <query> 
 index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted)
| fields UserId Whateverotherfields
    </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

View solution in original post

PickleRick · ‎03-21-2025

Generally, the base search should be a transforming search and it shouldn't be too big. But if it's a normal event search, you should explicitly list fields you'll be using later (as @catdadof3 pointed out - with fields or table command).

catdadof3 · ‎03-21-2025

I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.

  <search id="recycle">
    <query> 
 index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted)
| fields UserId Whateverotherfields
    </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

b17gunnr · ‎03-21-2025

Making this adjustment was just what I needed. I noticed that as I started playing with fields I could change the results, but I was focusing on the secondary query as opposed to the base query. Thank you all for the help and advice.

marnall · ‎03-21-2025

I copied your dashboard into my test instance and modified the base search to find events, and it worked.

As a test, could you try saving your full search as a dashboard panel for a new dashboard, then editing the source of that new dashboard to move the first half of the search into a base query?

b17gunnr · ‎03-21-2025

Hello,

That's actually where I started this. I took a functioning panel with the full query and then ripped out the primary section for the base search. I also tried creating a new dashboard from scratch and get the same empty results. The only thing I can do to so something displays is to comment out all of

<query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" > 50 | sort - "Object Deletions" </query>

If I leave any part of that code in, it fails.

marnall · ‎03-21-2025

Does it work if you use any other command in the query? E.g. just "| stats count"

Also what version of Splunk are you using, out of curiosity?

Base search not returning results

other

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Base search not returning results

other

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!