Splunk Search

Is it possible to create Time chart with search with base search?

fvegdom
Path Finder

I have a dashboard with the following base search:

<search id="CreatedDossierCount">
    <query>index="customer1-closecl-prod-long" application="closecl" transactionType="createDossier"</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>

and several panels based on this search, this simple one is working fine:

<panel>
      <title>Aantal aanvragen vandaag</title>
      <single>
        <title>Aantal aanvragen</title>
        <search base="CreatedDossierCount">
          <query> stats count</query>
        </search>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>

gives me a number 35 at the moment.

but a second one with a time chart is not:

 <panel>
      <title>Aantal aanvragen per tijdseenheid</title>
      <table>
        <search base="CreatedDossierCount">
          <query>timechart minspan=1d bins=12 dc(dossierId) as count | fillnull</query>
        </search>
        <option name="drilldown">none</option>
        <option name="link.inspectSearch.visible">1</option>
        <option name="link.openSearch.visible">1</option>
      </table>
    </panel>

it gives me this result:
alt text
if I then open in search I get this search from it:

index="customer1-closecl-prod-long" application="closecl" transactionType="createDossier" | timechart minspan=1d bins=12 dc(dossierId) as count | fillnull

as expected. Which gives me this result:

alt text

I even tried creating a dashboard panel from that search again, which gives me the same proper result, but if I move the first part of the search to the basesearch again I get the zeroes back.
This leads me to believe it is the combination of the base search and timechart. But I could be wrong.

0 Karma

virtualspeed
New Member

I think you have missed out a pipe on the the query?

timechart

Should be:
| timechart

0 Karma

elliotproebstel
Champion

I suspect you are running into this issue:

In post-process searches, reference fields that are also referenced in the base search. If you are not referencing a particular field in the base search, do not reference it in the post-process search. Fields without a reference in the base search appear null in a post-process search. The post-process search returns no results in this case.
Source: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches

So you could try adding | fields * to the base search in order to ensure the field is preserved. But the same documentation also mentions other pitfalls of using post-processing on a search that involves no transforming commands. Given that your base search does not use any transforming commands, I think you may not get any benefit from using that as a base search anyway, and you may be best served by just using the whole query in the place where you've been trying to use a post-processed search.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...