Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Base search on a dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I have been trying to make a base search on a dashboard with a time and environment input as a drop-down.
It only search it once and don't actually change my search ones i change my input. Is there something I'm missing?
This is my form inputs:
<form>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="env">
<label>Environment</label>
<choice value="TEST">TEST</choice>
<choice value="DEV">DEV</choice>
<choice value="PRD">PRD</choice>
</input>
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
This is my basesearch and 2 diffrent pie charts:
<search id="base_search">
<query>index=Lorem logtype=ipsum enviroment=$env$ | stats count BY status</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<row>
<panel>
<chart>
<search base="base_search">
<query> search statuscode<400 <query>
</search>
<option name="charting.chart">pie</option>
</chart>
</panel>
</row>
<row>
<panel>
<chart>
<search base="base_search">
<query> search statuscode>400 <query>
</search>
<option name="charting.chart">pie</option>
</chart>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @N-W,
If you have two fiels, you have to modify your search, because the problem in your search isn't related to the use of base-search, it's in the search!
So try to run your search in only one search and debug it; when it will be ok, you'll be able to split it in base search and panels' search.
In other words, please debug this search that surely will NOT run:
index=Lorem logtype=ipsum enviroment=$env$
| stats count BY status
| where statuscode>400remember that after a "stats" command, you have only the fields used in the command, in your case: count and status.
For this reason you cannot use statuscode field, because it isn't available after your stats command.
What's your situation: you have status and statuscode and you want to use them together?
In this case you could run something like this:
index=Lorem logtype=ipsum enviroment=$env$
| eval status=coalesce(status,statuscode)
| stats count BY status
| where status>400Or instead you have two fields and you want to use both of them, try something like this:
index=Lorem logtype=ipsum enviroment=$env$
| stats values(statuscode) AS statuscode count BY status
| where statuscode>400As I said, debug your search without thinking to base search, then, you'll be able to split it!
If you need help share your search (the one you shared in the main question isn't usable).
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @N-W,
In your dashboard I see only one error:
you have in the base search "stats count BY status2
instaead in the panels you have "search statuscode<400" or "search statuscode>400"
you have to use the same field name.
You can debug your situation, opening the panel in search:
you'll have the complete search (that is not running) and you can see the error.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I have in my fields statuscode and status. Problem is that it runs only once when i put the input, how many times i change the input it still doesnt change the search 😞
//N-W
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @N-W,
If you have two fiels, you have to modify your search, because the problem in your search isn't related to the use of base-search, it's in the search!
So try to run your search in only one search and debug it; when it will be ok, you'll be able to split it in base search and panels' search.
In other words, please debug this search that surely will NOT run:
index=Lorem logtype=ipsum enviroment=$env$
| stats count BY status
| where statuscode>400remember that after a "stats" command, you have only the fields used in the command, in your case: count and status.
For this reason you cannot use statuscode field, because it isn't available after your stats command.
What's your situation: you have status and statuscode and you want to use them together?
In this case you could run something like this:
index=Lorem logtype=ipsum enviroment=$env$
| eval status=coalesce(status,statuscode)
| stats count BY status
| where status>400Or instead you have two fields and you want to use both of them, try something like this:
index=Lorem logtype=ipsum enviroment=$env$
| stats values(statuscode) AS statuscode count BY status
| where statuscode>400As I said, debug your search without thinking to base search, then, you'll be able to split it!
If you need help share your search (the one you shared in the main question isn't usable).
Ciao.
Giuseppe
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
