Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"No search query provided" when using base search

PanKokos
Path Finder
‎03-21-2016 09:11 AM

Hi,

I have created quite large dashboard and want to add some optimizations to it. I choose to use base search as a starter here. However I could not make it working. Probably I am missing something basic - could anyone point me how to correct this?

form>
  <label></label>
  <fieldset submitButton="true" autoRun="false">
    <!-- fields -->
  </fieldset>
<search id="baseSearch" >
    <query>
      <query>
        sourcetype="source" | 
        where Type="Profiling" | regex Name ="$Name$" | 
        eval ElapsedTime = ElapsedTime_ms / 1000 / 60 | 
        eval Id = if(IsChild="True", ParentId, ID) | 
        eval Reference = "(".RefSec."-".Name.")-".Id        
      </query>
      <earliest>$field3.earliest$</earliest>
      <latest>$field3.latest$</latest>
    </query>
  </search>
  <row>
    <panel>
      <title></title>
      <chart>
        <search base="baseSearch">
          <query> chart sum(ElapsedTime) as TotalTime over Reference by SectionName | addtotals fieldname=OTHER | eval OTHER=2*TotalExecutionTime - OTHER | fields - TotalExecutionTime | sort -OTHER | head 10</query>
        </search>
<!-- rest of the form -->

What I am missing here?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PanKokos
Path Finder
‎03-21-2016 10:25 AM

Found out - finally it was a typo in a query tags in base query:

     <query>
           <query>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PanKokos
Path Finder
‎03-21-2016 10:25 AM

Found out - finally it was a typo in a query tags in base query:

     <query>
           <query>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-21-2016 09:14 AM

The earliest and latest on base search is using a token field3 which I don't see available under fieldset ? Did you miss adding a timerange picker to the form ?

0 Karma
Reply
Solved! Jump to solution

PanKokos
Path Finder
‎03-21-2016 09:25 AM

Hi, I have removed the fieldset from sample to reduce XML. Here it is:

<fieldset submitButton="true" autoRun="false">
    <input type="text" token="Name" searchWhenChanged="false">
      <label>Name</label>
      <default>.*</default>
    </input>
    <input type="time" token="field3" searchWhenChanged="false">
      <label>Time range</label>
      <default>
        <earliest>-6h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-21-2016 09:53 AM

Assuming you're got all the syntax correct, so try adding a table command to the base search, like this

 sourcetype="source" | 
         where Type="Profiling" | regex Name ="$Name$" | 
         eval ElapsedTime = ElapsedTime_ms / 1000 / 60 | 
         eval Id = if(IsChild="True", ParentId, ID) | 
         eval Reference = "(".RefSec."-".Name.")-".Id  
| table Reference SectionName ElapsedTime Id...and all other fields to be used in other post process searches
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...