- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why doesn't my XML base search work?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am playing with my base search and wondering why this is not working for me. My XML is as below. Pretty simple one huh?
So base search is just index=xyz for last 60 minutes. And the data has a field called action. I want timechart on that action.
For result it just shows timechart on just action (NULL) and not all.
If I open the same search in another window, I am getting proper result. Why such behavior?
<dashboard>
<search id="basesearch">
<query> index=xyz
</query>
<earliest>-60m</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<chart>
<search base="basesearch">
<query>stats count by action</query>
</search>
</chart>
</panel>
</row>
</dashboard>
PS: If I run stats count instead of timechart then it show No Result found but the same query works well in search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@varad_joshi, you can try to return specific fields or try | fields * in your base search and then see whether your post-process query picks it up or not. However, you should refer to Post Processing Best Practices that the base search should have a transforming command and you must not try to pass on raw events through the base search (in such cases you might be better off running separate searches instead of post processing).
Check out examples on how you should ideally perform post processing (multiple and multi-level)
<search id="basesearch">
<query> index=xyz | fields action
</query>
<earliest>-60m</earliest>
<latest>now</latest>
</search>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@varad_joshi, you can try to return specific fields or try | fields * in your base search and then see whether your post-process query picks it up or not. However, you should refer to Post Processing Best Practices that the base search should have a transforming command and you must not try to pass on raw events through the base search (in such cases you might be better off running separate searches instead of post processing).
Check out examples on how you should ideally perform post processing (multiple and multi-level)
<search id="basesearch">
<query> index=xyz | fields action
</query>
<earliest>-60m</earliest>
<latest>now</latest>
</search>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Niket.
Yes I figured that later once I posted the question.
Thanks for your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aren't you missing the pipe at <query>stats count by action</query>?, meaning something like <query>| stats count by action</query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ddrillic, I don't think pipe is mandatory for post process searches.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fair enough - thank you @niketnilay.
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
Join Us for Splunk University and Get Your Bootcamp Game On!
