- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having issues with splitting the complete search between "basesearch" and "remaining search in other panels".
Complete Search
#############
index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"
Below split is the only working search. but this won't work for me.
Working XML Code
##############
<row>
<panel depends="$nevershowup$">
<event>
<title>BASE SEARCH PANEL</title>
<search id="baseSearch">
<query>index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | </query>
<earliest>$timepicker.earliest$</earliest>
<latest>$timepicker.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
<row>
<panel>
<title>NAM Region</title>
<chart>
<search base="baseSearch">
<query> eval Used=Used."(".Used."%)"</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.showPercent">true</option>
<option name="charting.chart.stackMode">stacked100</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">top</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
The way i want it to work but not working
#############################
The reason is, i have many panels and the common string in all panel is "index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" and i want to use this in base search. I tried using "| fields *" from the other solutions suggested in splunk community but is it not working.
<row>
<panel depends="$nevershowup$">
<event>
<title>BASE SEARCH PANEL</title>
<search id="baseSearch">
<query>index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" </query>
<earliest>$timepicker.earliest$</earliest>
<latest>$timepicker.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
<row>
<panel>
<title>NAM Region</title>
<chart>
<search base="baseSearch">
<query> | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"</query>
</search>
<option name="charting.chart">pie</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.showPercent">true</option>
<option name="charting.chart.stackMode">stacked100</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">top</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gcusello for you response, Unfortunately that didn't fixed my issue as well.
The issue got resolved after changing the string "fields" to "table" in the base search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the Response @ITWhisperer . I'm not getting any specific error. The Pie chart is showing "No result Found", but when i runt he actual search using "Edit Search" option, i see the expected results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Can you elaborate as to what is not working? What error messages do you get? etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Complete Search from one of the panel out of 20 different panels
##############################################
index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"
On my dashboard, I have close to "20" different panels, As of now all the "20" panels have their own query. So to avoid the individual queries, I'm trying to use the base search feature for efficiency purpose.
On all the queries from 20 different panels, the common string is "index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" |". So i'm trying to put this in the basesearch and keeping the remaining part of the query in each panel. But when i do this, I don't see any result in the panel, but when i do the same search manually, the query is returning results.
So looking to see if anyone can suggest anything to make this work.
Thanks for your Time and Support. Appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/0006d/0006db53e93e02f75a70b791d53de4db2c1334ef" alt="gcusello gcusello"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Hi @dustintroop,
at the end of the base search, don't use "| fields *", but list all the fields you need in all the panels, e.g. to satisfy the search you shared, you have to add:
| fields _time Region TotalSpace UsedSpace AvailableSpace
then add the other fields you need for the other panels.
You can troubleshoot each panel opening it in the search dashboard and adding one by one every field.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gcusello for you response, Unfortunately that didn't fixed my issue as well.
The issue got resolved after changing the string "fields" to "table" in the base search
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""