Splunk Search

Does the date range in the Base search carry forward to the Post Process search, or can they have different time ranges?

IRHM73
Motivator

Hi,

I just wonder whether someone may be able to help me please.

I'm trying to put together a Post Process - Base Search with similar format to that below:

<search id="baseSearch">
     <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
     <earliest>-30d</earliest>
     <latest>now</latest>             
   </search>

<search base="baseSearch">
     <query> index=_internal source=*splunkd.log | stats count by component, log_level</query>
     <earliest>-1d</earliest>
     <latest>now</latest>             
   </search>

Could someone tell me please, does the date period in the 'Base' search carry forward to the 'Post Process' search, or can they be different as shown in my example above.

Many thanks and kind regards

Chris

0 Karma
1 Solution

bmacias84
Champion

Yes, the post process search only contains those fields /transformed data from the base search. Your query in the postProcess search should not have any reference to index or source. Think of your postProcess search as another pipe, like your piping the results from your basesearch into another command except you are able to pipe you base search into multiple transforming commands or panels.

Your searches should look like this.

<search id="baseSearch">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
      <earliest>-30d</earliest>
      <latest>now</latest>             
    </search>

 <search base="baseSearch">
      <query>  where  component="foo"</query>   
    </search>

 <search base="baseSearch">
      <query>  where  component="bar"</query>         
    </search>

View solution in original post

bmacias84
Champion

Yes, the post process search only contains those fields /transformed data from the base search. Your query in the postProcess search should not have any reference to index or source. Think of your postProcess search as another pipe, like your piping the results from your basesearch into another command except you are able to pipe you base search into multiple transforming commands or panels.

Your searches should look like this.

<search id="baseSearch">
      <query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
      <earliest>-30d</earliest>
      <latest>now</latest>             
    </search>

 <search base="baseSearch">
      <query>  where  component="foo"</query>   
    </search>

 <search base="baseSearch">
      <query>  where  component="bar"</query>         
    </search>

IRHM73
Motivator

Hi @bmacias84, many thanks for the confirmation.

Kind Regards

Chris

0 Karma

krsrbh
New Member

Is there a way we can override the time range mentioned in base search, in the Post Processing Search. I need this as I need 2 different charts for the same query, but with different time ranges. Please help.

0 Karma

bmacias84
Champion

@krsrbh I dont think you understand how post process search works. Post process search can only contain data from the base search. If you need separate time spans you will need to add a subsearch to your base search. In post process search you will need a filter statement to omit data from post process search or another.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...