Hello Everyone,
I am new to the splunk and this community. I have searched everyone for my problem but i could not figure out what is wrong. Basically i am using base search and post process search for a dashboard. My base search is something like this:
<search id="basesearch1">
<query>index=index1 | fields field1, field2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
my second base search that uses first base search:
<search base="basesearch1" id="basesearch2">
<query>search field1=value1</query>
</search>
and finally the post process search is:
<search base="basesearch2">
<query>stats count(field1) as count by field2 | sort -count | head 5</query>
</search>
When i apply it as a single search query like this there is no problem:
index=index1 | fields field1, field2 | search field1=value1 | stats count(field1) as count by field2 | sort -count | head 5
however, in the dashboard the count numbers does not match with the above search query. I used 2 base searches because in the same dashboard, I need to use basesearch1 and basesearch2 in different panels as well.
See the best practices section about non transforming base searches here
https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches
as your example searches are non transforming, it may be that you are not returning fields from the second base search.
Try adding the same | fields statement you have in your first example.
However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.
See the best practices section about non transforming base searches here
https://docs.splunk.com/Documentation/Splunk/8.0.6/Viz/Savedsearches
as your example searches are non transforming, it may be that you are not returning fields from the second base search.
Try adding the same | fields statement you have in your first example.
However, in principle, when getting strange results with non transforming base searches, it may be a resource issue.
Actually if a merge basesearch1 and 2 into one basesearch and use the postprocess after that, the result i get from the post process is fairly similar to the results i get from the search without basesearch (but not the same). Therefore, i think the problem must be a resource or a limit issue. I believe somehow the basesearch or the post process search cuts the job in the middle of the search.