Dashboards & Visualizations

Why doesn't my XML base search work?

varad_joshi
Communicator

I am playing with my base search and wondering why this is not working for me. My XML is as below. Pretty simple one huh?

So base search is just index=xyz for last 60 minutes. And the data has a field called action. I want timechart on that action.
For result it just shows timechart on just action (NULL) and not all.

If I open the same search in another window, I am getting proper result. Why such behavior?

<dashboard>
  <search id="basesearch">
    <query> index=xyz
     </query>
      <earliest>-60m</earliest>
       <latest>now</latest>  
  </search>
  <row>
    <panel>
      <chart>
        <search base="basesearch">
          <query>stats count by action</query>
        </search>
      </chart>
    </panel>
  </row>
  </dashboard>

PS: If I run stats count instead of timechart then it show No Result found but the same query works well in search.

0 Karma
1 Solution

niketn
Legend

@varad_joshi, you can try to return specific fields or try | fields * in your base search and then see whether your post-process query picks it up or not. However, you should refer to Post Processing Best Practices that the base search should have a transforming command and you must not try to pass on raw events through the base search (in such cases you might be better off running separate searches instead of post processing).

Check out examples on how you should ideally perform post processing (multiple and multi-level)

   <search id="basesearch">
     <query> index=xyz | fields action
      </query>
       <earliest>-60m</earliest>
        <latest>now</latest>  
   </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@varad_joshi, you can try to return specific fields or try | fields * in your base search and then see whether your post-process query picks it up or not. However, you should refer to Post Processing Best Practices that the base search should have a transforming command and you must not try to pass on raw events through the base search (in such cases you might be better off running separate searches instead of post processing).

Check out examples on how you should ideally perform post processing (multiple and multi-level)

   <search id="basesearch">
     <query> index=xyz | fields action
      </query>
       <earliest>-60m</earliest>
        <latest>now</latest>  
   </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

varad_joshi
Communicator

Thanks Niket.
Yes I figured that later once I posted the question.

Thanks for your answer.

0 Karma

ddrillic
Ultra Champion

Aren't you missing the pipe at <query>stats count by action</query>?, meaning something like <query>| stats count by action</query>

niketn
Legend

@ddrillic, I don't think pipe is mandatory for post process searches.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ddrillic
Ultra Champion

Fair enough - thank you @niketnilay.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...