As the title suggests, I'm having issues with a base search that I'm trying to create. The base search uses tokens to pull info from a data model and the actual search uses stats to get a count of vendor products. The issue that I'm having is that the search runs normally without the base search, but when it is split up using the base search there is information missing. Clicking on the magnifying glass (in the table with the missing info) opens a new search that reconnects the searches comes up with the correct info. I'm baffled as to why this is happening. I've done research about this issue and all that I've found is this question - https://answers.splunk.com/answers/608175/splunk-dashboard-base-search-gives-result-which-is.html
As far as I know it shouldn't be an issue with limits.conf because the search is returning less than 50 results.
Base Search:
<search id="baseSearch1">
<query>
$control_token_visualizations$
|from datamodel:"Malware.Malware_Attacks"
|search $env_tok$ dest="*$hostname_tok$*"$avtype_tok$ vendor_product="$vendor_tok$" sourcetype!=carbonblack:defense:json
</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
Continued search:
<panel>
<title>Top Destinations</title>
<table>
<search base="baseSearch1">
<query>
|stats values(vendor_product) count by dest
|rename values(vendor_product) AS "Vendor Product"
|sort - count
</query>
</search>
<option name="count">15</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
... View more