Splunk Search

Panels that use basesearch won't display different times

hajducko
Explorer

I tried taking a look at this question: https://answers.splunk.com/answers/395258/how-to-specify-different-time-ranges-for-each-pane.html?ut...

However, the solution didn't work. I have a basesearch that I want the whole dashboard to use, and I grab the data over a week period. But I want some panels to only display an hour's worth of data. However, they just reset to showing the whole week's worth of data instead.

Here's part of my dashboard.

<dashboard>
  <search id="baseSearch">
    <query>index=salt source=/var/log/salt/master Published command details NOT find_job</query>
    <earliest>@w0</earliest>
    <latest>now</latest>
  </search>
  <label>Salt Today</label>
  <row>
    <panel>
      <title>Jobs Run Today</title>
      <single>
        <search base="baseSearch">
          <query>stats count</query>
        </search>
        <earliest>@d</earliest>
        <latest>now</latest>
         </single>
    </panel>

Any ideas?

1 Solution

Raghav2384
Motivator

Hello,

Post populating searches work only if your parent search is sliced by time. example:

 <!-- My parent search -->
 <search id="baseSearch">
   <query>index=salt earliest=-1w latest=now source=/var/log/salt/master Published command details NOT find_job|stats count by a,b,c,d,e,f,_time</query>
   </search>
 <!-- post processing reference -->
 <chart>
   <search base="baseSearch">
     <query>| timechart count by a span=15m</query>
    <earliest>-1d</earliest>
  <latest>now</latest>
   </search>
 </chart>
 <chart>

Hope this helps!

Thanks,
Raghav

View solution in original post

Raghav2384
Motivator

Hello,

Post populating searches work only if your parent search is sliced by time. example:

 <!-- My parent search -->
 <search id="baseSearch">
   <query>index=salt earliest=-1w latest=now source=/var/log/salt/master Published command details NOT find_job|stats count by a,b,c,d,e,f,_time</query>
   </search>
 <!-- post processing reference -->
 <chart>
   <search base="baseSearch">
     <query>| timechart count by a span=15m</query>
    <earliest>-1d</earliest>
  <latest>now</latest>
   </search>
 </chart>
 <chart>

Hope this helps!

Thanks,
Raghav

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...