Splunk Search

Does the date range in the Base search carry forward to the Post Process search, or can they have different time ranges?

Motivator

Hi,

I just wonder whether someone may be able to help me please.

I'm trying to put together a Post Process - Base Search with similar format to that below:

<search id="baseSearch">
     <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
     <earliest>-30d</earliest>
     <latest>now</latest>             
   </search>

<search base="baseSearch">
     <query> index=_internal source=*splunkd.log | stats count by component, log_level</query>
     <earliest>-1d</earliest>
     <latest>now</latest>             
   </search>

Could someone tell me please, does the date period in the 'Base' search carry forward to the 'Post Process' search, or can they be different as shown in my example above.

Many thanks and kind regards

Chris

0 Karma
1 Solution

Champion

Yes, the post process search only contains those fields /transformed data from the base search. Your query in the postProcess search should not have any reference to index or source. Think of your postProcess search as another pipe, like your piping the results from your basesearch into another command except you are able to pipe you base search into multiple transforming commands or panels.

Your searches should look like this.

<search id="baseSearch">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
      <earliest>-30d</earliest>
      <latest>now</latest>             
    </search>

 <search base="baseSearch">
      <query>  where  component="foo"</query>   
    </search>

 <search base="baseSearch">
      <query>  where  component="bar"</query>         
    </search>

View solution in original post

Champion

Yes, the post process search only contains those fields /transformed data from the base search. Your query in the postProcess search should not have any reference to index or source. Think of your postProcess search as another pipe, like your piping the results from your basesearch into another command except you are able to pipe you base search into multiple transforming commands or panels.

Your searches should look like this.

<search id="baseSearch">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
      <earliest>-30d</earliest>
      <latest>now</latest>             
    </search>

 <search base="baseSearch">
      <query>  where  component="foo"</query>   
    </search>

 <search base="baseSearch">
      <query>  where  component="bar"</query>         
    </search>

View solution in original post

Motivator

Hi @bmacias84, many thanks for the confirmation.

Kind Regards

Chris

0 Karma

New Member

Is there a way we can override the time range mentioned in base search, in the Post Processing Search. I need this as I need 2 different charts for the same query, but with different time ranges. Please help.

0 Karma

Champion

@krsrbh I dont think you understand how post process search works. Post process search can only contain data from the base search. If you need separate time spans you will need to add a subsearch to your base search. In post process search you will need a filter statement to omit data from post process search or another.

0 Karma