Splunk Search

Why are my dashboard panels using a base search showing no results, but shows results if opened in search?

hettervik
Builder

Hi,

I've encountered this problem a couple of times now.

I have a dashboard where some of the panels run on a base search to save computing power. When I open the dashboard the panels using the base search are showing zero results, but if I open them in search I get the results I want. I'll provide the XML. Why could it be that this is happening? Is there some sort of missing capability that prevents me from seeing the results in the dashboard or app even though I can see the correct results when the panel is opened in search?

<search id="manageStoreEmployee">
    <query>eventtype=a OR eventtype=b</query>
    <earliest>$token_time_picker.earliest$</earliest>
    <latest>$token_time_picker.latest$</latest>
</search>

<panel>
      <title>Manage Store Employee - Front-End</title>
      <single>
        <search base="manageStoreEmployee">
          <query>| stats count(eval(status!=422)) as success</query>
        </search>
      </single>
</panel>
<panel>
      <title>Manage Store Employee - Back-End</title>
      <single>
        <search base="manageStoreEmployee">
          <query>| stats count(eval(status!=502)) as success</query>
        </search>
      </single>
</panel>
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Can you try this in your base search

eventtype="a" OR eventtype="b" | fields status, other fields

It's possible that filed extraction is not happening in dashboard since it runs search in smart mode by default

Happy Splunking!

View solution in original post

chuckers
Path Finder

More generically, put a

| fields *

at the end of the base query. This will make certain that you have all the fields you need for all the other panels that might reference that base.

edoardo_vicendo
Contributor

I woud add that, instead of using:

| fields *

it is better to extract only the fields you need later on in all the other dashboard panels, this will improve the performance of the entire dashboard, here below the example:

| fields field1, field2, field3 etc..
0 Karma

edoardo_vicendo
Contributor

Thanks, this suggestion fixed my issue

0 Karma

christoffertoft
Communicator

Thank you for this.. Solved my issue

0 Karma

cpershey
Explorer

this answer fixed my dashboard

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Can you try this in your base search

eventtype="a" OR eventtype="b" | fields status, other fields

It's possible that filed extraction is not happening in dashboard since it runs search in smart mode by default

Happy Splunking!

hettervik
Builder

That worked perfectly, I'd never thought of that being the problem. Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...