Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Panels that use basesearch won't display different...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hajducko
Explorer
07-20-2016
10:19 PM
I tried taking a look at this question: https://answers.splunk.com/answers/395258/how-to-specify-different-time-ranges-for-each-pane.html?ut...
However, the solution didn't work. I have a basesearch that I want the whole dashboard to use, and I grab the data over a week period. But I want some panels to only display an hour's worth of data. However, they just reset to showing the whole week's worth of data instead.
Here's part of my dashboard.
<dashboard>
<search id="baseSearch">
<query>index=salt source=/var/log/salt/master Published command details NOT find_job</query>
<earliest>@w0</earliest>
<latest>now</latest>
</search>
<label>Salt Today</label>
<row>
<panel>
<title>Jobs Run Today</title>
<single>
<search base="baseSearch">
<query>stats count</query>
</search>
<earliest>@d</earliest>
<latest>now</latest>
</single>
</panel>
Any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raghav2384
Motivator
07-20-2016
10:58 PM
Hello,
Post populating searches work only if your parent search is sliced by time. example:
<!-- My parent search -->
<search id="baseSearch">
<query>index=salt earliest=-1w latest=now source=/var/log/salt/master Published command details NOT find_job|stats count by a,b,c,d,e,f,_time</query>
</search>
<!-- post processing reference -->
<chart>
<search base="baseSearch">
<query>| timechart count by a span=15m</query>
<earliest>-1d</earliest>
<latest>now</latest>
</search>
</chart>
<chart>
Hope this helps!
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raghav2384
Motivator
07-20-2016
10:58 PM
Hello,
Post populating searches work only if your parent search is sliced by time. example:
<!-- My parent search -->
<search id="baseSearch">
<query>index=salt earliest=-1w latest=now source=/var/log/salt/master Published command details NOT find_job|stats count by a,b,c,d,e,f,_time</query>
</search>
<!-- post processing reference -->
<chart>
<search base="baseSearch">
<query>| timechart count by a span=15m</query>
<earliest>-1d</earliest>
<latest>now</latest>
</search>
</chart>
<chart>
Hope this helps!
Thanks,
Raghav
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
