Splunk Search

Can Base Searches be nested?

roukepouw
Explorer

I tried to do the following in a dashboard:

First declare two base searches, the second one using the first one:

<search id="baseSearch1">
            <query> [QUERY1] </query>
</search>

<search base="baseSearch1" id="baseSearch2">
            <query>  [QUERY2] </query>
</search>

 <row>
    <panel>
      <single>
        <search base="baseSearch2">
            <query> [QUERY3]</query>
        </search>
         </single>
     </panel>
</row>

Hoping to end up with a combined query result for [QUERY1] | [QUERY2] |[QUERY3]. Unfortunately, this did not seem to work. (Splunk 6.3)

However, when click the magnifiyng glass below the dashboard element I'm sent to the search interface with the combined query and the results (!) Suggesting that I might be on the right track to somehow implement a nested base search.

I was wondering whether this was a known (solvable?) issue or perhaps a bug?

sabysingh
Explorer

I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.,

0 Karma

to4kawa
Ultra Champion
<dashboard>
  <label>nested query</label>
  <row>
    <panel>
      <table>
        <search id="baseSearch1">
          <query>| makeresults count=2</query>
        </search>
      </table>
      <table>
        <search base="baseSearch1" id="baseSearch2">
          <query>|streamstats count</query>
        </search>
      </table>
      <single>
        <search base="baseSearch2">
          <query>| table count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

@sabysingh
nested query is OK. please ask another question.

Richfez
SplunkTrust
SplunkTrust

What are you trying to accomplish, and why can't you just create the dashboard panel from a search using appendcols as mentioned by dflodstrom (in which case he should credit for that answer) or other search commands (like a simple "condition 1 OR condition 2 OR condition 3")?

0 Karma

roukepouw
Explorer

To increase effiency: using the base search I retrieve several million events, I wouldn't like to repeat such a search several times.
Secondly to decrease code duplication.

0 Karma

sabysingh
Explorer

I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.

0 Karma

dflodstrom
Builder

I've had success with the appendcols command have a look at the info here on splunk docs

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If there are “missing” fields on second query, try to add “| fields a, b, c ..” to the QUERY1.

R. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...