Splunk Search
Highlighted

Is anyone having issues with base searches in 7.2?

Builder

Having some strange behavior with base searches right now. For example, we have events like this flowing into Splunk:

{   [-] 
     after:  f082add60bd2dee91c16b34ff82d20b26767d63c   
     before:     1182aef3bf03c42f4d93be03cc28c1eead5bda7f   
     checkout_sha:   f082add60bd2dee91c16b34ff82d20b26767d63c   
     commits:   [   [+] 
    ]   
     event_name:     push   
     message:    null   
     object_kind:    push   
     project:   {   [+] 
    }   
     project_id:     21738  
     ref:    refs/heads/master  
     repository:    {   [+] 
    }   
     total_commits_count:    1  
     user_avatar:    https://www.gravatar.com/avatar/9a2d59bf028f9dcfa528fe54f15642bd?s=80&d=identicon  
     user_email:     me@you.com 
     user_id:    131    
     user_name:  Me You 
     user_username:  Me You 
}

And here is my dashboard:

<form>
  <label>Git - Audit</label>
  <search id="base_s">
    <query>index = app_gitaudit project.name=$field2$</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-7d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Stats By Event</title>
      <chart>
        <search base="base_s">
          <query>| stats c by event_name</query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
</form>

The strange thing is that the "Stats By Event" panel shows that results were not found. However, if you click the search button (magnifying glass), the search produces results.

0 Karma
Highlighted

Re: Is anyone having issues with base searches in 7.2?

Super Champion

I tested similar way in splunk 7.2 and it's working fine

<form>
  <label>Test_690859</label>
   <search id="base_s">
             <query>index=_internal</query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
     <sampleRatio>1</sampleRatio>
        </search>
       <fieldset submitButton="false">
     <input type="time" token="field1">
       <label></label>
       <default>
         <earliest>-7m@m</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
<row>
     <panel>
       <title>Stats By Event</title>
       <chart>
         <search base="base_s">
           <query>| stats count by source</query>
         </search>
         <option name="charting.axisTitleX.visibility">collapsed</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.chart">bar</option>
         <option name="charting.drilldown">none</option>
         <option name="charting.legend.placement">none</option>
       </chart>
     </panel>
   </row>
 </form>

Not Sure how field2 token gets populated in your dashboard

0 Karma
Highlighted

Re: Is anyone having issues with base searches in 7.2?

Builder

sorry i accidentally cut out that panel, field2 was a drop down that did a stats on the projects by name. But very interesting, ill keep digging

0 Karma
Highlighted

Re: Is anyone having issues with base searches in 7.2?

Builder

Ah, figured it out:

See: https://answers.splunk.com/answers/432023/dashboard-base-search-is-not-working-for-all-panel.html

basically had to add 'fields' to force the base search to keep fields i needed

0 Karma