Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to create Time chart with search with base search?

fvegdom
Path Finder
‎12-06-2017 07:19 AM

I have a dashboard with the following base search:

<search id="CreatedDossierCount">
    <query>index="customer1-closecl-prod-long" application="closecl" transactionType="createDossier"</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>

and several panels based on this search, this simple one is working fine:

<panel>
      <title>Aantal aanvragen vandaag</title>
      <single>
        <title>Aantal aanvragen</title>
        <search base="CreatedDossierCount">
          <query> stats count</query>
        </search>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">medium</option>
      </single>
    </panel>

gives me a number 35 at the moment.

but a second one with a time chart is not:

 <panel>
      <title>Aantal aanvragen per tijdseenheid</title>
      <table>
        <search base="CreatedDossierCount">
          <query>timechart minspan=1d bins=12 dc(dossierId) as count | fillnull</query>
        </search>
        <option name="drilldown">none</option>
        <option name="link.inspectSearch.visible">1</option>
        <option name="link.openSearch.visible">1</option>
      </table>
    </panel>

it gives me this result:
alt text
if I then open in search I get this search from it: 

index="customer1-closecl-prod-long" application="closecl" transactionType="createDossier" | timechart minspan=1d bins=12 dc(dossierId) as count | fillnull

as expected. Which gives me this result:

alt text

I even tried creating a dashboard panel from that search again, which gives me the same proper result, but if I move the first part of the search to the basesearch again I get the zeroes back.
This leads me to believe it is the combination of the base search and timechart. But I could be wrong.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

virtualspeed
New Member
‎01-20-2020 04:15 AM

I think you have missed out a pipe on the the query?

timechart

Should be:
| timechart

0 Karma
Reply

elliotproebstel
Champion
‎12-06-2017 08:01 AM

I suspect you are running into this issue:

In post-process searches, reference fields that are also referenced in the base search. If you are not referencing a particular field in the base search, do not reference it in the post-process search. Fields without a reference in the base search appear null in a post-process search. The post-process search returns no results in this case.
Source: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches

So you could try adding | fields * to the base search in order to ensure the field is preserved. But the same documentation also mentions other pitfalls of using post-processing on a search that involves no transforming commands. Given that your base search does not use any transforming commands, I think you may not get any benefit from using that as a base search anyway, and you may be best served by just using the whole query in the place where you've been trying to use a post-processed search.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...