Is anyone having issues with base searches in 7.2?

paimonsoror · ‎10-09-2018

Having some strange behavior with base searches right now. For example, we have events like this flowing into Splunk:

{   [-] 
     after:  f082add60bd2dee91c16b34ff82d20b26767d63c   
     before:     1182aef3bf03c42f4d93be03cc28c1eead5bda7f   
     checkout_sha:   f082add60bd2dee91c16b34ff82d20b26767d63c   
     commits:   [   [+] 
    ]   
     event_name:     push   
     message:    null   
     object_kind:    push   
     project:   {   [+] 
    }   
     project_id:     21738  
     ref:    refs/heads/master  
     repository:    {   [+] 
    }   
     total_commits_count:    1  
     user_avatar:    https://www.gravatar.com/avatar/9a2d59bf028f9dcfa528fe54f15642bd?s=80&d=identicon  
     user_email:     me@you.com 
     user_id:    131    
     user_name:  Me You 
     user_username:  Me You 
}

And here is my dashboard:

<form>
  <label>Git - Audit</label>
  <search id="base_s">
    <query>index = app_gitaudit project.name=$field2$</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-7d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Stats By Event</title>
      <chart>
        <search base="base_s">
          <query>| stats c by event_name</query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
</form>

The strange thing is that the "Stats By Event" panel shows that results were not found. However, if you click the search button (magnifying glass), the search produces results.

paimonsoror · ‎10-09-2018

Ah, figured it out:

See: https://answers.splunk.com/answers/432023/dashboard-base-search-is-not-working-for-all-panel.html

basically had to add 'fields' to force the base search to keep fields i needed

493669 · ‎10-09-2018

I tested similar way in splunk 7.2 and it's working fine

<form>
  <label>Test_690859</label>
   <search id="base_s">
             <query>index=_internal</query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
     <sampleRatio>1</sampleRatio>
        </search>
       <fieldset submitButton="false">
     <input type="time" token="field1">
       <label></label>
       <default>
         <earliest>-7m@m</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
<row>
     <panel>
       <title>Stats By Event</title>
       <chart>
         <search base="base_s">
           <query>| stats count by source</query>
         </search>
         <option name="charting.axisTitleX.visibility">collapsed</option>
         <option name="charting.axisTitleY.visibility">visible</option>
         <option name="charting.chart">bar</option>
         <option name="charting.drilldown">none</option>
         <option name="charting.legend.placement">none</option>
       </chart>
     </panel>
   </row>
 </form>

Not Sure how field2 token gets populated in your dashboard

paimonsoror · ‎10-09-2018

sorry i accidentally cut out that panel, field2 was a drop down that did a stats on the projects by name. But very interesting, ill keep digging

Is anyone having issues with base searches in 7.2?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor