Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why are my dashboard panels using a base searc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've encountered this problem a couple of times now.
I have a dashboard where some of the panels run on a base search to save computing power. When I open the dashboard the panels using the base search are showing zero results, but if I open them in search I get the results I want. I'll provide the XML. Why could it be that this is happening? Is there some sort of missing capability that prevents me from seeing the results in the dashboard or app even though I can see the correct results when the panel is opened in search?
<search id="manageStoreEmployee">
<query>eventtype=a OR eventtype=b</query>
<earliest>$token_time_picker.earliest$</earliest>
<latest>$token_time_picker.latest$</latest>
</search>
<panel>
<title>Manage Store Employee - Front-End</title>
<single>
<search base="manageStoreEmployee">
<query>| stats count(eval(status!=422)) as success</query>
</search>
</single>
</panel>
<panel>
<title>Manage Store Employee - Back-End</title>
<single>
<search base="manageStoreEmployee">
<query>| stats count(eval(status!=502)) as success</query>
</search>
</single>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this in your base search
eventtype="a" OR eventtype="b" | fields status, other fields
It's possible that filed extraction is not happening in dashboard since it runs search in smart mode by default
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More generically, put a
| fields *
at the end of the base query. This will make certain that you have all the fields you need for all the other panels that might reference that base.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I woud add that, instead of using:
| fields *
it is better to extract only the fields you need later on in all the other dashboard panels, this will improve the performance of the entire dashboard, here below the example:
| fields field1, field2, field3 etc..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this suggestion fixed my issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for this.. Solved my issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this answer fixed my dashboard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this in your base search
eventtype="a" OR eventtype="b" | fields status, other fields
It's possible that filed extraction is not happening in dashboard since it runs search in smart mode by default
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly, I'd never thought of that being the problem. Thanks a lot!
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
