Splunk Search

Null results on timechart using base search

3DGjos
Communicator

Hello, im making a dashboard with a timechart and some filters, I can't make it to work, my filter gives no results and my linechart shows only a weird count of NULLS. Weird thing is that, if I click on "open in search", my search works.

Here are my inputs:

<search id="base1">
    <query>index=XXX ("XXXCreateEmptyGame: GameInfo:") action=created  game!=*XX* 
         </query>
 <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>  

<input type="time" token="time" searchWhenChanged="true">
        <label>time</label>
        <default>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
      </input>

      <input type="multiselect" token="character" searchWhenChanged="true">
        <label>Filtrar by char</label>
        <choice value="*">TODOS</choice>
        <initialValue>*</initialValue>
        <valuePrefix>character="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <search base="base1">
          <query>  stats      count(action) AS "countx" by character  |head 10| sort - "countx" | fields - "countx"</query>
        </search>
      </input>
      <chart>
        <title>total amount</title>
        <search base="base1">
          <query>timechart  span=1h useother=f count(action) AS "count2" by character  | sort - "count2"</query>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>

Any help is welcome, thanks!

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@3DGjos

Try by mentioning required fields only in base search.

like

index=XXX ("XXXCreateEmptyGame: GameInfo:") action=created  game!=*XX* | table _time action character  

OR

index=XXX ("XXXCreateEmptyGame: GameInfo:") action=created  game!=*XX* | fields _time action character  

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@3DGjos

Try by mentioning required fields only in base search.

like

index=XXX ("XXXCreateEmptyGame: GameInfo:") action=created  game!=*XX* | table _time action character  

OR

index=XXX ("XXXCreateEmptyGame: GameInfo:") action=created  game!=*XX* | fields _time action character  
0 Karma

3DGjos
Communicator

Can't mark it as the answer :S

0 Karma

MuS
SplunkTrust
SplunkTrust

you could also just use timechart span=1h useother=f count(action) AS "count2" by character usenull=f but to limit or filter on the fields in the base search is much better 😉

cheers, MuS

0 Karma

3DGjos
Communicator

Thanks! it worked!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...