Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Base search on a dashboard

N-W
Explorer
‎09-27-2021 01:15 AM

Hello!

I have been trying to make a base search on a dashboard with a time and environment input as a drop-down.
It only search it once and don't actually change my search ones i change my input. Is there something I'm missing?

This is my form inputs:

 

<form>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="env">
      <label>Environment</label>
      <choice value="TEST">TEST</choice>
      <choice value="DEV">DEV</choice>
      <choice value="PRD">PRD</choice>
    </input>
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

 

 
This is my basesearch and 2 diffrent pie charts:

 

  <search id="base_search">
    <query>index=Lorem logtype=ipsum enviroment=$env$ | stats count BY status</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
  </search>
  <row>
    <panel>
      <chart>
        <search base="base_search">
          <query> search statuscode<400 <query>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <search base="base_search">
          <query> search statuscode>400 <query>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-27-2021 02:23 AM

Hi @N-W,

If you have two fiels, you have to modify your search, because the problem in your search isn't related to the use of base-search, it's in the search!

So try to run your search in only one search and debug it; when it will be ok, you'll be able to split it in base search and panels' search.

In other words, please debug this search that surely will NOT run:

index=Lorem logtype=ipsum enviroment=$env$ 
| stats count BY status
| where statuscode>400

remember that after a "stats" command, you have only the fields used in the command, in your case: count and status.

For this reason you cannot use statuscode field, because it isn't available after your stats command.

What's your situation: you have status and statuscode and you want to use them together?

In this case you could run something like this:

index=Lorem logtype=ipsum enviroment=$env$ 
| eval status=coalesce(status,statuscode)
| stats count BY status
| where status>400

Or instead you have two fields and you want to use both of them, try something like this:

index=Lorem logtype=ipsum enviroment=$env$ 
| stats values(statuscode) AS statuscode count BY status
| where statuscode>400

As I said, debug your search without thinking to base search, then, you'll be able to split it!

If you need help share your search (the one you shared in the main question isn't usable).

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-27-2021 02:03 AM

Hi  @N-W,

In your dashboard I see only one error:

you have in the base search "stats count BY status2

instaead in the panels you have "search statuscode<400" or "search statuscode>400"

you have to use the same field name.

You can debug your situation, opening the panel in search:

you'll have the complete search (that is not running) and you can see the error.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

N-W
Explorer
‎09-27-2021 02:09 AM

Hello!

I have in my fields statuscode and status. Problem is that it runs only once when i put the input, how many times i change the input it still doesnt change the search 😞

//N-W

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-27-2021 02:23 AM

Hi @N-W,

If you have two fiels, you have to modify your search, because the problem in your search isn't related to the use of base-search, it's in the search!

So try to run your search in only one search and debug it; when it will be ok, you'll be able to split it in base search and panels' search.

In other words, please debug this search that surely will NOT run:

index=Lorem logtype=ipsum enviroment=$env$ 
| stats count BY status
| where statuscode>400

remember that after a "stats" command, you have only the fields used in the command, in your case: count and status.

For this reason you cannot use statuscode field, because it isn't available after your stats command.

What's your situation: you have status and statuscode and you want to use them together?

In this case you could run something like this:

index=Lorem logtype=ipsum enviroment=$env$ 
| eval status=coalesce(status,statuscode)
| stats count BY status
| where status>400

Or instead you have two fields and you want to use both of them, try something like this:

index=Lorem logtype=ipsum enviroment=$env$ 
| stats values(statuscode) AS statuscode count BY status
| where statuscode>400

As I said, debug your search without thinking to base search, then, you'll be able to split it!

If you need help share your search (the one you shared in the main question isn't usable).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...