Splunk Search

Base Search returning different results than normal search

betchim_gerwili
Explorer

As the title suggests, I'm having issues with a base search that I'm trying to create. The base search uses tokens to pull info from a data model and the actual search uses stats to get a count of vendor products. The issue that I'm having is that the search runs normally without the base search, but when it is split up using the base search there is information missing. Clicking on the magnifying glass (in the table with the missing info) opens a new search that reconnects the searches comes up with the correct info. I'm baffled as to why this is happening. I've done research about this issue and all that I've found is this question - https://answers.splunk.com/answers/608175/splunk-dashboard-base-search-gives-result-which-is.html
As far as I know it shouldn't be an issue with limits.conf because the search is returning less than 50 results.

Base Search:

      <search id="baseSearch1">
        <query>
    $control_token_visualizations$ 
    |from datamodel:"Malware.Malware_Attacks"
    |search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json
        </query>
        <earliest>$time_tok.earliest$</earliest>
        <latest>$time_tok.latest$</latest>
      </search>

Continued search:

        <panel>
          <title>Top Destinations</title>
          <table>
            <search base="baseSearch1">
              <query>
    |stats values(vendor_product) count by dest
    |rename values(vendor_product) AS "Vendor Product"
    |sort - count
              </query>
            </search>
            <option name="count">15</option>
            <option name="drilldown">none</option>
            <option name="refresh.display">progressbar</option>
          </table>
        </panel>
0 Karma

preactivity
Path Finder

If you are using base searches, you must return the fields required by all the panels on base search. If you do not return the fields on base search, then the panels will not work as expected. In you situation change your base search return fields, then your problem should be resolved. Please let me know if this doesn't work.

<search id="baseSearch1">
         <query>
     $control_token_visualizations$ 
     |from datamodel:"Malware.Malware_Attacks"
     |search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json
    |fields vendor_product,dest
         </query>
         <earliest>$time_tok.earliest$</earliest>
         <latest>$time_tok.latest$</latest>
       </search>

If you want to know how to use base searches with a quick example, you can also refer to the below video.
https://www.youtube.com/watch?v=6s3jV6Tx6yg

betchim_gerwili
Explorer

I made the change but I'm still not seeing the correct data. I opened the view in a search and the correct data showed up when it was in Fast Mode. I changed it to Verbose Mode and the results were what I was seeing on the view.

Is there any way that I can make the view run in Fast Mode? I've read that it does run in Fast as default, but this one obviously isn't working correctly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...