Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

"No search query provided" when using base search in a dashboard

pjb2160
Path Finder
‎07-27-2016 05:42 PM

OK, so I've been working away on this one for a little while now and can't see what I've missed. I've created a base search, but it doesn't return any results. Rather, it reads "No search query provided", please refer following code sample:

<form>
  <label>AV Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="time_token">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="event_desc_token" searchWhenChanged="true">
      <label>Event Description</label>
      <default>*</default>
    </input>
    <input type="text" token="user_token" searchWhenChanged="true">
      <label>User</label>
      <default>*</default>
    </input>
  </fieldset>
  <search id="baseSearch1">
    <query>
      index=sec_antivirus sourcetype="antivirus:symantec:ids" Event_Description="$event_desc_token$" user="$user_token$" | fields *
    </query>
    <earliest>$time_token.earliest$</earliest>
    <latest>$time_token.latest$</latest>
  </search>
  <row>
    <panel>
      <title>All Events</title>
      <single>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="linkView">search</option>
        <search base="baseSearch1">
          <query>stats count</query>
        </search>
      </single>
    </panel>
  </row>
</form>

Please help.

many thanks,
P

0 Karma
Reply

phoenixdigital
Builder
‎07-27-2016 06:06 PM

Nothing stands out. I modified your whole XML search to work from _internal and it works fine.

     <form>
       <label>Test Dashboard</label>
       <fieldset submitButton="false">
         <input type="time" token="time_token">
           <label></label>
           <default>
             <earliest>-24h@h</earliest>
             <latest>now</latest>
           </default>
         </input>
         <input type="text" token="sourcetype_token" searchWhenChanged="true">
           <label>Sourcetype</label>
           <default>*</default>
         </input>
         <input type="text" token="log_level_token" searchWhenChanged="true">
           <label>Log Level</label>
           <default>*</default>
         </input>
       </fieldset>
       <search id="baseSearch1">
         <query>
           index=_internal log_level="$log_level_token$" sourcetype="$sourcetype_token$" | fields *
         </query>
         <earliest>$time_token.earliest$</earliest>
         <latest>$time_token.latest$</latest>
       </search>
       <row>
         <panel>
           <title>All Events</title>
           <single>
             <option name="drilldown">none</option>
             <option name="colorBy">value</option>
             <option name="colorMode">none</option>
             <option name="numberPrecision">0</option>
             <option name="showSparkline">1</option>
             <option name="showTrendIndicator">1</option>
             <option name="trendColorInterpretation">standard</option>
             <option name="trendDisplayMode">absolute</option>
             <option name="useColors">0</option>
             <option name="useThousandSeparators">1</option>
             <option name="linkView">search</option>
             <search base="baseSearch1">
               <query>stats count</query>
             </search>
           </single>
         </panel>
       </row>
     </form>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...