Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to create Time chart with search with base search?

fvegdom
Path Finder
‎12-06-2017 07:19 AM

I have a dashboard with the following base search:

<search id="CreatedDossierCount">
    <query>index="customer1-closecl-prod-long" application="closecl" transactionType="createDossier"</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>

and several panels based on this search, this simple one is working fine:

<panel>
      <title>Aantal aanvragen vandaag</title>
      <single>
        <title>Aantal aanvragen</title>
        <search base="CreatedDossierCount">
          <query> stats count</query>
        </search>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>

gives me a number 35 at the moment.

but a second one with a time chart is not:

 <panel>
      <title>Aantal aanvragen per tijdseenheid</title>
      <table>
        <search base="CreatedDossierCount">
          <query>timechart minspan=1d bins=12 dc(dossierId) as count | fillnull</query>
        </search>
        <option name="drilldown">none</option>
        <option name="link.inspectSearch.visible">1</option>
        <option name="link.openSearch.visible">1</option>
      </table>
    </panel>

it gives me this result:
alt text
if I then open in search I get this search from it: 

index="customer1-closecl-prod-long" application="closecl" transactionType="createDossier" | timechart minspan=1d bins=12 dc(dossierId) as count | fillnull

as expected. Which gives me this result:

alt text

I even tried creating a dashboard panel from that search again, which gives me the same proper result, but if I move the first part of the search to the basesearch again I get the zeroes back.
This leads me to believe it is the combination of the base search and timechart. But I could be wrong.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

virtualspeed
New Member
‎01-20-2020 04:15 AM

I think you have missed out a pipe on the the query?

timechart

Should be:
| timechart

0 Karma
Reply

elliotproebstel
Champion
‎12-06-2017 08:01 AM

I suspect you are running into this issue:

In post-process searches, reference fields that are also referenced in the base search. If you are not referencing a particular field in the base search, do not reference it in the post-process search. Fields without a reference in the base search appear null in a post-process search. The post-process search returns no results in this case.
Source: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches

So you could try adding | fields * to the base search in order to ensure the field is preserved. But the same documentation also mentions other pitfalls of using post-processing on a search that involves no transforming commands. Given that your base search does not use any transforming commands, I think you may not get any benefit from using that as a base search anyway, and you may be best served by just using the whole query in the place where you've been trying to use a post-processed search.

Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...