Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help on base search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I try to use a base search between two single panel
the first single panel is on the last 24 h and the second panel must be on the last 7 days
but when i put <earliest>-7d@h</earliest><latest>now</latest> in the second panel I have a validation warning!
what i have to do please?
<row>
<panel>
<single>
<search id="test">
<query>index=toto sourcetype=tutu
| fields signaler
| stats dc(signaler)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</single>
</panel>
<panel>
<single>
<search base="test">
<query>| stats dc(signaler)</query>
</search>
</single>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
base searches must be outside panels and in each panel, you have to put the specific filter of the panel, in other words, something like this:
<search id="test">
<query>
index=toto sourcetype=tutu
| fields signaler
| stats dc(signaler)
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<single>
<search base="test">
<query>
...
</query>
</search>
</single>
</panel>
<panel>
<single>
<search base="test">
<query>
...
</query>
</search>
</single>
</panel>But in your case you cannot use a base search because you have the same search but two different timeframes.
If you would use a base search you have to modify your search:
<search id="test">
<query>
index=toto sourcetype=tutu
| eval type=if(_time-now()<86400,"Last24 hours","Last week")
| fields signaler type
| stats dc(signaler) BY type
</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<single>
<search base="test">
<query>
| search type="Last24 hours"
</query>
</search>
</single>
</panel>
<panel>
<single>
<search base="test">
<query>
| search type="Last week"
</query>
</search>
</single>
</panel>You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/Savedsearches#Post-process_searches_2 or using the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
base searches must be outside panels and in each panel, you have to put the specific filter of the panel, in other words, something like this:
<search id="test">
<query>
index=toto sourcetype=tutu
| fields signaler
| stats dc(signaler)
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<single>
<search base="test">
<query>
...
</query>
</search>
</single>
</panel>
<panel>
<single>
<search base="test">
<query>
...
</query>
</search>
</single>
</panel>But in your case you cannot use a base search because you have the same search but two different timeframes.
If you would use a base search you have to modify your search:
<search id="test">
<query>
index=toto sourcetype=tutu
| eval type=if(_time-now()<86400,"Last24 hours","Last week")
| fields signaler type
| stats dc(signaler) BY type
</query>
<earliest>-7d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<single>
<search base="test">
<query>
| search type="Last24 hours"
</query>
</search>
</single>
</panel>
<panel>
<single>
<search base="test">
<query>
| search type="Last week"
</query>
</search>
</single>
</panel>You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.2.2/Viz/Savedsearches#Post-process_searches_2 or using the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect gcusello thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just a little issue when I use
| eval type=if(_time-now()<86400,"Last24 hours","Last week")I have an "unencoded < " message in my xml
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jip31,
if you put the search directly on dashboard XML source, you have to replace "<" with "<".
Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
