Re: Can Base Searches be nested?

roukepouw · ‎10-02-2015

I tried to do the following in a dashboard:

First declare two base searches, the second one using the first one:

<search id="baseSearch1">
            <query> [QUERY1] </query>
</search>

<search base="baseSearch1" id="baseSearch2">
            <query>  [QUERY2] </query>
</search>

 <row>
    <panel>
      <single>
        <search base="baseSearch2">
            <query> [QUERY3]</query>
        </search>
         </single>
     </panel>
</row>

Hoping to end up with a combined query result for [QUERY1] | [QUERY2] |[QUERY3]. Unfortunately, this did not seem to work. (Splunk 6.3)

However, when click the magnifiyng glass below the dashboard element I'm sent to the search interface with the combined query and the results (!) Suggesting that I might be on the right track to somehow implement a nested base search.

I was wondering whether this was a known (solvable?) issue or perhaps a bug?

sabysingh · ‎03-25-2020

I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.,

to4kawa · ‎04-04-2020

<dashboard>
  <label>nested query</label>
  <row>
    <panel>
      <table>
        <search id="baseSearch1">
          <query>| makeresults count=2</query>
        </search>
      </table>
      <table>
        <search base="baseSearch1" id="baseSearch2">
          <query>|streamstats count</query>
        </search>
      </table>
      <single>
        <search base="baseSearch2">
          <query>| table count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

@sabysingh
nested query is OK. please ask another question.

Richfez · ‎10-04-2015

What are you trying to accomplish, and why can't you just create the dashboard panel from a search using appendcols as mentioned by dflodstrom (in which case he should credit for that answer) or other search commands (like a simple "condition 1 OR condition 2 OR condition 3")?

roukepouw · ‎11-23-2015

To increase effiency: using the base search I retrieve several million events, I wouldn't like to repeat such a search several times.
Secondly to decrease code duplication.

sabysingh · ‎03-25-2020

I have the same use case as OP. My dashboard queries millions of same set of base events, but I need to do different stats and evals on query results for different panels. I would like to create a common first-level base query. There are some groups of dashboard panels that share common sets of queries, and for each group I would like to create a different second-level base query using first-level base query. Each dashboard would then use its second-level base query for the final unique stats and evals. It is the funnel concept of going from most common to specific.
appendcols is not going to solve the issue.

dflodstrom · ‎10-02-2015

I've had success with the appendcols command have a look at the info here on splunk docs

isoutamo · ‎04-05-2020

If there are “missing” fields on second query, try to add “| fields a, b, c ..” to the QUERY1.

R. Ismo

Can Base Searches be nested?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation