Splunk Search

Splunk Base Search issues

dustintroop
Explorer

Having issues with splitting the complete search between "basesearch" and "remaining search in other panels".

 

Complete Search

#############

index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"

 

Below split is the only working search. but this won't work for me.

 

Working XML Code

##############

 

<row>
  <panel depends="$nevershowup$">
    <event>
       <title>BASE SEARCH PANEL</title>
           <search id="baseSearch">
               <query>index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | </query>
                <earliest>$timepicker.earliest$</earliest>
                <latest>$timepicker.latest$</latest>
              </search>
            <option name="list.drilldown">none</option>
          </event>
        </panel>
  </row>
<row>
   <panel> 
     <title>NAM Region</title>
       <chart>
          <search base="baseSearch">
             <query> eval Used=Used."(".Used."%)"</query>
                </search>
                 <option name="charting.chart">pie</option>
                 <option name="charting.chart.showDataLabels">all</option>
                 <option name="charting.chart.showPercent">true</option>
                 <option name="charting.chart.stackMode">stacked100</option>
                 <option name="charting.drilldown">none</option>
                <option name="charting.legend.placement">top</option>
                <option name="refresh.display">progressbar</option>
              </chart>
            </panel>

          </row>

 

 

The way i want it to work but not working

#############################

The reason is, i have many panels and the common string in all panel is "index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" and i want to use this in base search. I tried using "| fields *" from the other solutions suggested in splunk community but is it not working.

 

<row>
  <panel depends="$nevershowup$">
    <event>
       <title>BASE SEARCH PANEL</title>
           <search id="baseSearch">
               <query>index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA"  </query>
                <earliest>$timepicker.earliest$</earliest>
                <latest>$timepicker.latest$</latest>
              </search>
            <option name="list.drilldown">none</option>
          </event>
        </panel>
  </row>
<row>
   <panel> 
     <title>NAM Region</title>
       <chart>
          <search base="baseSearch">
             <query> | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"</query>
                </search>
                 <option name="charting.chart">pie</option>
                 <option name="charting.chart.showDataLabels">all</option>
                 <option name="charting.chart.showPercent">true</option>
                 <option name="charting.chart.stackMode">stacked100</option>
                 <option name="charting.drilldown">none</option>
                <option name="charting.legend.placement">top</option>
                <option name="refresh.display">progressbar</option>
              </chart>
            </panel>

          </row>

Labels (1)
0 Karma
1 Solution

dustintroop
Explorer

Thanks Gcusello for you response, Unfortunately that didn't fixed my issue as well.

 

The issue got resolved after changing the string "fields" to "table" in the base search

View solution in original post

0 Karma

dustintroop
Explorer

Thanks for the Response @ITWhisperer . I'm not getting any specific error. The Pie chart is showing "No result Found", but when i runt he actual search using "Edit Search" option, i see the expected results

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you elaborate as to what is not working? What error messages do you get? etc.

0 Karma

dustintroop
Explorer

 

Complete Search from one of the panel out of 20 different panels

##############################################

index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" | where like('Region', "%APAC%") | stats sum(TotalSpace) AS Total sum(UsedSpace) AS Used sum(AvailableSpace) AS Available | eval Total=round(Total/1024,0) | eval Used=round(Used/1024,0) | eval Available=round(Available/1024,0) | table Used,Available | transpose | eval Used=Used."(".Used."%)"

 

 

 

On my dashboard, I have close to "20" different panels, As of now all the "20" panels have their own query. So to avoid the individual queries, I'm trying to use the base search feature for efficiency purpose.

 

On all the queries from 20 different panels, the common string is "index=Temp_Index="http:hec_splunk" sourcetype="json:script_output" "Source Team"="UNIX_SA" |". So i'm trying to put this in the basesearch and keeping the remaining part of the query in each panel. But when i do this, I don't see any result in the panel, but when i do the same search manually, the query is returning results.

 

So looking to see if anyone can suggest anything to make this work.

 

Thanks for your Time and Support. Appreciate your help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dustintroop,

at the end of the base search, don't use "| fields *", but list all the fields you need in all the panels, e.g. to satisfy the search you shared, you have to add:

| fields _time Region TotalSpace UsedSpace AvailableSpace

then add the other fields you need for the other panels.

You can troubleshoot each panel opening it in the search dashboard and adding one by one every field.

Ciao.

Giuseppe

0 Karma

dustintroop
Explorer

Thanks Gcusello for you response, Unfortunately that didn't fixed my issue as well.

 

The issue got resolved after changing the string "fields" to "table" in the base search

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...