Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- "No search query provided" when using base search ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"No search query provided" when using base search in a dashboard
pjb2160
Path Finder
07-27-2016
05:42 PM
OK, so I've been working away on this one for a little while now and can't see what I've missed. I've created a base search, but it doesn't return any results. Rather, it reads "No search query provided", please refer following code sample:
<form>
<label>AV Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="event_desc_token" searchWhenChanged="true">
<label>Event Description</label>
<default>*</default>
</input>
<input type="text" token="user_token" searchWhenChanged="true">
<label>User</label>
<default>*</default>
</input>
</fieldset>
<search id="baseSearch1">
<query>
index=sec_antivirus sourcetype="antivirus:symantec:ids" Event_Description="$event_desc_token$" user="$user_token$" | fields *
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<row>
<panel>
<title>All Events</title>
<single>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
<search base="baseSearch1">
<query>stats count</query>
</search>
</single>
</panel>
</row>
</form>
Please help.
many thanks,
P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
phoenixdigital
Builder
07-27-2016
06:06 PM
Nothing stands out. I modified your whole XML search to work from _internal and it works fine.
<form>
<label>Test Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="sourcetype_token" searchWhenChanged="true">
<label>Sourcetype</label>
<default>*</default>
</input>
<input type="text" token="log_level_token" searchWhenChanged="true">
<label>Log Level</label>
<default>*</default>
</input>
</fieldset>
<search id="baseSearch1">
<query>
index=_internal log_level="$log_level_token$" sourcetype="$sourcetype_token$" | fields *
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<row>
<panel>
<title>All Events</title>
<single>
<option name="drilldown">none</option>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="numberPrecision">0</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
<option name="linkView">search</option>
<search base="baseSearch1">
<query>stats count</query>
</search>
</single>
</panel>
</row>
</form>
Get Updates on the Splunk Community!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...
