- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello folks,
I trying to use a base search within a dashboard but it consistently returns no results. However, when I click Open in Search the results appear as expected. Any of you fine people have any suggestions?
<dashboard version="1.1" theme="dark">
<search id="recycle">
<query> index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted) </query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<label>Test Dashboard</label>
<row>
<panel>
<title>Abnormal File Deletion and Recycle Patterns</title>
<table>
<search base="recycle">
<query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" > 50 | sort - "Object Deletions" </query>
</search>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.
<search id="recycle">
<query>
index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted)
| fields UserId Whateverotherfields
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally, the base search should be a transforming search and it shouldn't be too big. But if it's a normal event search, you should explicitly list fields you'll be using later (as @catdadof3 pointed out - with fields or table command).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to replicate your problem - looks like if you use a table or fields command with the fields you need underneath the index search you can get results.
<search id="recycle">
<query>
index=o365_sharepoint AND (Operation=FileRecycled OR Operation=FolderRecycled OR Operation=FileVersionsAllDeleted)
| fields UserId Whateverotherfields
</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Making this adjustment was just what I needed. I noticed that as I started playing with fields I could change the results, but I was focusing on the secondary query as opposed to the base query. Thank you all for the help and advice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I copied your dashboard into my test instance and modified the base search to find events, and it worked.
As a test, could you try saving your full search as a dashboard panel for a new dashboard, then editing the source of that new dashboard to move the first half of the search into a base query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
That's actually where I started this. I took a functioning panel with the full query and then ripped out the primary section for the base search. I also tried creating a new dashboard from scratch and get the same empty results. The only thing I can do to so something displays is to comment out all of
<query> | stats count as "Object Deletions" BY UserId | search "Object Deletions" > 50 | sort - "Object Deletions" </query>
If I leave any part of that code in, it fails.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it work if you use any other command in the query? E.g. just "| stats count"
Also what version of Splunk are you using, out of curiosity?
