Splunk Search

"No search query provided" when using base search

PanKokos
Path Finder

Hi,

I have created quite large dashboard and want to add some optimizations to it. I choose to use base search as a starter here. However I could not make it working. Probably I am missing something basic - could anyone point me how to correct this?

form>
  <label></label>
  <fieldset submitButton="true" autoRun="false">
    <!-- fields -->
  </fieldset>
<search id="baseSearch" >
    <query>
      <query>
        sourcetype="source" | 
        where Type="Profiling" | regex Name ="$Name$" | 
        eval ElapsedTime = ElapsedTime_ms / 1000 / 60 | 
        eval Id = if(IsChild="True", ParentId, ID) | 
        eval Reference = "(".RefSec."-".Name.")-".Id        
      </query>
      <earliest>$field3.earliest$</earliest>
      <latest>$field3.latest$</latest>
    </query>
  </search>
  <row>
    <panel>
      <title></title>
      <chart>
        <search base="baseSearch">
          <query> chart sum(ElapsedTime) as TotalTime over Reference by SectionName | addtotals fieldname=OTHER | eval OTHER=2*TotalExecutionTime - OTHER | fields - TotalExecutionTime | sort -OTHER | head 10</query>
        </search>
<!-- rest of the form -->

What I am missing here?

Tags (1)
0 Karma
1 Solution

PanKokos
Path Finder

Found out - finally it was a typo in a query tags in base query:

     <query>
           <query>

View solution in original post

0 Karma

PanKokos
Path Finder

Found out - finally it was a typo in a query tags in base query:

     <query>
           <query>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The earliest and latest on base search is using a token field3 which I don't see available under fieldset ? Did you miss adding a timerange picker to the form ?

0 Karma

PanKokos
Path Finder

Hi, I have removed the fieldset from sample to reduce XML. Here it is:

<fieldset submitButton="true" autoRun="false">
    <input type="text" token="Name" searchWhenChanged="false">
      <label>Name</label>
      <default>.*</default>
    </input>
    <input type="time" token="field3" searchWhenChanged="false">
      <label>Time range</label>
      <default>
        <earliest>-6h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming you're got all the syntax correct, so try adding a table command to the base search, like this

 sourcetype="source" | 
         where Type="Profiling" | regex Name ="$Name$" | 
         eval ElapsedTime = ElapsedTime_ms / 1000 / 60 | 
         eval Id = if(IsChild="True", ParentId, ID) | 
         eval Reference = "(".RefSec."-".Name.")-".Id  
| table Reference SectionName ElapsedTime Id...and all other fields to be used in other post process searches
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...