Splunk Search

Splunk Base Search issues


Having issues with splitting the complete search between "basesearch" and "remaining search in other panels".


Complete Search


index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"


Below split is the only working search. but this won't work for me.


Working XML Code



  <panel depends="$nevershowup$">
       <title>BASE SEARCH PANEL</title>
           <search id="baseSearch">
               <query>index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | </query>
            <option name="list.drilldown">none</option>
     <title>NAM Region</title>
          <search base="baseSearch">
             <query> eval Used=Used."(".Used."%)"</query>
                 <option name="charting.chart">pie</option>
                 <option name="charting.chart.showDataLabels">all</option>
                 <option name="charting.chart.showPercent">true</option>
                 <option name="charting.chart.stackMode">stacked100</option>
                 <option name="charting.drilldown">none</option>
                <option name="charting.legend.placement">top</option>
                <option name="refresh.display">progressbar</option>




The way i want it to work but not working


The reason is, i have many panels and the common string in all panel is "index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" and i want to use this in base search. I tried using "| fields *" from the other solutions suggested in splunk community but is it not working.


  <panel depends="$nevershowup$">
       <title>BASE SEARCH PANEL</title>
           <search id="baseSearch">
               <query>index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA"  </query>
            <option name="list.drilldown">none</option>
     <title>NAM Region</title>
          <search base="baseSearch">
             <query> | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"</query>
                 <option name="charting.chart">pie</option>
                 <option name="charting.chart.showDataLabels">all</option>
                 <option name="charting.chart.showPercent">true</option>
                 <option name="charting.chart.stackMode">stacked100</option>
                 <option name="charting.drilldown">none</option>
                <option name="charting.legend.placement">top</option>
                <option name="refresh.display">progressbar</option>


Labels (1)
0 Karma
1 Solution


Thanks Gcusello for you response, Unfortunately that didn't fixed my issue as well.


The issue got resolved after changing the string "fields" to "table" in the base search

View solution in original post

0 Karma


Thanks for the Response @ITWhisperer . I'm not getting any specific error. The Pie chart is showing "No result Found", but when i runt he actual search using "Edit Search" option, i see the expected results

0 Karma


Can you elaborate as to what is not working? What error messages do you get? etc.

0 Karma



Complete Search from one of the panel out of 20 different panels


index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"




On my dashboard, I have close to "20" different panels, As of now all the "20" panels have their own query. So to avoid the individual queries, I'm trying to use the base search feature for efficiency purpose.


On all the queries from 20 different panels, the common string is "index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" |". So i'm trying to put this in the basesearch and keeping the remaining part of the query in each panel. But when i do this, I don't see any result in the panel, but when i do the same search manually, the query is returning results.


So looking to see if anyone can suggest anything to make this work.


Thanks for your Time and Support. Appreciate your help.

0 Karma


Hi @dustintroop,

at the end of the base search, don't use "| fields *", but list all the fields you need in all the panels, e.g. to satisfy the search you shared, you have to add:

| fields _time Region TotalSpace UsedSpace AvailableSpace

then add the other fields you need for the other panels.

You can troubleshoot each panel opening it in the search dashboard and adding one by one every field.



0 Karma


Thanks Gcusello for you response, Unfortunately that didn't fixed my issue as well.


The issue got resolved after changing the string "fields" to "table" in the base search

0 Karma
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...