Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can Base Searches be nested?

roukepouw
Explorer
‎10-02-2015 07:53 AM

I tried to do the following in a dashboard:

First declare two base searches, the second one using the first one:

<search id="baseSearch1">
            <query> [QUERY1] </query>
</search>

<search base="baseSearch1" id="baseSearch2">
            <query>  [QUERY2] </query>
</search>

 <row>
    <panel>
      <single>
        <search base="baseSearch2">
            <query> [QUERY3]</query>
        </search>
         </single>
     </panel>
</row>

Hoping to end up with a combined query result for [QUERY1] | [QUERY2] |[QUERY3]. Unfortunately, this did not seem to work. (Splunk 6.3)

However, when click the magnifiyng glass below the dashboard element I'm sent to the search interface with the combined query and the results (!) Suggesting that I might be on the right track to somehow implement a nested base search.

I was wondering whether this was a known (solvable?) issue or perhaps a bug?

Reply

sabysingh
Explorer
‎03-25-2020 06:56 PM

I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.,

0 Karma
Reply

to4kawa
Ultra Champion
‎04-04-2020 06:38 PM 
<dashboard>
  <label>nested query</label>
  <row>
    <panel>
      <table>
        <search id="baseSearch1">
          <query>| makeresults count=2</query>
        </search>
      </table>
      <table>
        <search base="baseSearch1" id="baseSearch2">
          <query>|streamstats count</query>
        </search>
      </table>
      <single>
        <search base="baseSearch2">
          <query>| table count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

@sabysingh
nested query is OK. please ask another question.

Reply

Richfez
SplunkTrust
SplunkTrust
‎10-04-2015 08:23 AM

What are you trying to accomplish, and why can't you just create the dashboard panel from a search using appendcols as mentioned by dflodstrom (in which case he should credit for that answer) or other search commands (like a simple "condition 1 OR condition 2 OR condition 3")?

0 Karma
Reply

roukepouw
Explorer
‎11-23-2015 02:38 AM

To increase effiency: using the base search I retrieve several million events, I wouldn't like to repeat such a search several times.
Secondly to decrease code duplication.

0 Karma
Reply

sabysingh
Explorer
‎03-25-2020 06:57 PM

I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.

0 Karma
Reply

dflodstrom
Builder
‎10-02-2015 12:58 PM

I've had success with the appendcols command have a look at the info here on splunk docs

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-05-2020 01:35 PM

If there are “missing” fields on second query, try to add “| fields a, b, c ..” to the QUERY1.

R. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...