Splunk Search

Why is my Base Search cutting off Fields in the Dashboard view?

skoelpin
SplunkTrust
SplunkTrust

I made a dashboard with a single base search passing the results to downstream panels. When I make my panels dependent on the base search, all my fields are cutoff in the dashboard view. But when I click the search button and open it up, everything is working as expected. Also, if I remove the base search from my dashboard and make each panel an independent in-line search, it will work correctly. I've tried explicitly calling the fields at the end of my search | fields + <field1> <field2> with no luck. Can anyone point me in the right direction?

Here's some of the XML

<row>
    <panel>
      <single depends="$nothing$">
        <search id="BASE">
          <query>index=xxxxxxx (source="xxxxxx") </query>
          <earliest>$TimePicker.earliest$</earliest>
          <latest>$TimePicker.latest$</latest>
          <refresh>100m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="refresh.display">none</option>
      </single>
      <viz depends="$panel1$" type="Splunk_ML_Toolkit.LinesViz">
        <title>Aggregate Customer Traffic</title>
        <search base="BASE">
          <query>
| timechart  cont=false limit=0 span=10m   max("Actual:All") AS "Actual:All"
max("high:All") AS "high:All" min("low:All") AS "low:All" min("pred:All") AS "pred:All"
| eval IsActualNull=if(_time<relative_time(now(),"-10m") AND isnull('Actual:All') ,1000,0)
</query>

        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">none</option>
      </viz>
      <viz depends="$panel2$" type="Splunk_ML_Toolkit.LinesViz">
        <search base="BASE">
          <query>
| timechart  cont=false limit=0 span=10m max("Actual:$cust_name$") AS "Actual:$cust_name$"  max("high: $cust_name$") AS "high: $cust_name$" min("low: $cust_name$") AS "low: $cust_name$" min("pred: $cust_name$") AS "pred: $cust_name$"
| makecontinuous _time</query>
        </search>
        <option name="drilldown">none</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
1 Solution

micahkemp
Champion

Dashboard searches don't run in verbose mode, so your base search should include | fields <field1> <field2> ... <fieldN> to define which fields will be needed by your post-process searches.

Edit for clarity: fields ... needs to be a part of the base search.

View solution in original post

niketn
Legend

@skoelpin, post processing ideally should have transforming command in the base search. You seem to be trying to pass on raw data.

How many events your base search can have for the default time range that you have?

Also when you choose shorter time window and pipe in | field * to your base search are you able to see results or not?

You seem to have only two timecharts in the dashboard. Can you have the timechart command in the base search with all the fields and then in your post process panels use only the fields that you need as per the panel?

Refer to following documentation for Post Processing Best Practices:
http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin
SplunkTrust
SplunkTrust

No luck with adding fields *. I've used a similar base search before with no transformational command and it worked so I'm a little stumped why it won't work now. My issue with adding the timechart to the base search is that I have 2 separate panels that have different values getting passed in timechart.

Would it be particle to take the two panels below and combine them into a single search and just exclude what's not needed? Example below

| timechart  cont=false limit=0 span=10m   max("Actual:All") AS "Actual:All"
 max("high:All") AS "high:All" min("low:All") AS "low:All" min("pred:All") AS "pred:All"

| timechart  cont=false limit=0 span=10m max("Actual:$cust_name$") AS "Actual:$cust_name$"  max("high: $cust_name$") AS "high: $cust_name$" min("low: $cust_name$") AS "low: $cust_name$" min("pred: $cust_name$") AS "pred: $cust_name$"


| timechart  cont=false limit=0 span=10m   max("Actual:All") AS "Actual:All"
 max("high:All") AS "high:All" min("low:All") AS "low:All" min("pred:All") AS "pred:All" max("Actual:$cust_name$") AS "Actual:$cust_name$"  max("high: $cust_name$") AS "high: $cust_name$" min("low: $cust_name$") AS "low: $cust_name$" min("pred: $cust_name$") AS "pred: $cust_name$"
0 Karma

MuS
Legend

Can you please provide the dashboard XML including the base search that does not work?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yes its in the original post, the base search is defined on line 4 and I'm trying to pass the results to line 15 and line 27. When looking at the results in the dashboard, it's only giving the the eval field. But when I open it up in search, I'm getting all the expected fields. It looks like my fields are getting cut off in the dashboard view

0 Karma

micahkemp
Champion

Dashboard searches don't run in verbose mode, so your base search should include | fields <field1> <field2> ... <fieldN> to define which fields will be needed by your post-process searches.

Edit for clarity: fields ... needs to be a part of the base search.

skoelpin
SplunkTrust
SplunkTrust

Yeah, I mentioned trying that in my original question with no luck. Perhaps I'm putting it in the wrong spot?

It should look like this right?

<search base="BASE">
           <query>
 | timechart  cont=false limit=0 span=10m max("Actual:$cust_name$") AS "Actual:$cust_name$"  max("high: $cust_name$") AS "high: $cust_name$" min("low: $cust_name$") AS "low: $cust_name$" min("pred: $cust_name$") AS "pred: $cust_name$"
 | makecontinuous _time 
 | fields + "Actual:$cust_name$" "high: $cust_name$"  "low: $cust_name$" "pred: $cust_name$"</query>
         </search>
0 Karma

micahkemp
Champion

| fields needs to go in the base search, not the post-process search (which is where you have it above).'

Apologies for not seeing your comment about trying the fields method already.

skoelpin
SplunkTrust
SplunkTrust

This solved my problem!! Thank you!!!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...