Splunk base search on dashboard and post processing the results

Question

I have a dashboard that is using a base search, along with 4 other panels that reference this and format the results differently depending on the chart I want to use.

When I run the base query by itself, it returns the data as expected.

Base Query:

index=mail sourcetype=barracuda bcProcess="outbound/smtp" 
    [ search index=mail sourcetype=barracuda 
        [ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>" 
           | rex field=from "<(?<bcSender>.*)>" 
           | stats count by bcSender 
           | fields bcSender 
           | format 
        ] 
      | stats count by bcMsgId 
      | fields bcMsgId
    ]

In one panel, I am showing a single, total number sent as follows:

<search base="main_results">
  <query>
   | stats count(bcMsgId) as total
  </query>
</search>
        

Same with another panel that shows it hourly using a line chart:

<search base="main_results">
  <query>
   | timechart span=1h count AS "Total Sends"
  </query>
</search>

Both of the above panels work just fine when referencing the base query.

---

The problem I am running into is on a pie-chart.

<panel>
      <chart>
        <title>Send Action Breakdown</title>
        <search base="main_results">
          <query>| rename bcSendAction as "Send Action" 
| chart count as Total by "Send Action" 
| eval "Send Action"="Send Action"." (".Total.")" 
| replace 1 WITH "Success" , 2 WITH "Block" , 3 WITH "Deferral" IN "Send Action"</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="height">460</option>
        <option name="refresh.display">progressbar</option>
        <option name="charting.chart.showPercent">true</option>
      </chart>
    </panel>

When the dashboard tries to load this panel, it always returns "No results found". However, if I copy the base query into a search, and then paste the query from this panel right below it, I get results as expected.

Question:

Why would this panel using the same base query having issues getting the data when I can manually paste both parts and it runs fine?

Update for Bounty Clarity: My dashboard has 4 panels, and 3 of them pretty much use an identical search query which is why I was trying to get the base search set up so they could all reference it.

Here are my 4 separate searches for the 4 panels if it helps with showing how I was trying to split it up for my base to function correctly.

// Total Emails Sent
index=mail sourcetype=barracuda bcProcess="outbound/smtp" 
            [ search index=mail sourcetype=barracuda 
              [ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>" 
                | rex field=from "<(?<bcSender>.*)>" 
                | stats count as Total by bcSender 
                | fields bcSender 
                | format 
              ] 
              | stats count as Total by bcMsgId 
              | fields bcMsgId, bcSendAction 
            ]
            | stats count(bcMsgId) as total


// Emails per hour
index=mail sourcetype=barracuda bcProcess="outbound/smtp" 
            [ search index=mail sourcetype=barracuda 
              [ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>" 
                | rex field=from "<(?<bcSender>.*)>" 
                | stats count as Total by bcSender 
                | fields bcSender 
                | format 
              ] 
              | stats count as Total by bcMsgId 
              | fields bcMsgId, bcSendAction 
            ]
            | bin _time as hour span=1h
| stats count as hourcount by hour
| eval hour=strftime(hour,"%H:%M")
| chart sum(hourcount) as count by hour



// Top 10 Senders
index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>"         
            | rex field=from "<(?<bcSender>.*)>"          
            | stats count as Total by bcSender
            | rename bcSender as "From Address"
            | sort -Total | head 10



// Action Breakdown
index=mail sourcetype=barracuda bcProcess="outbound/smtp" 
            [ search index=mail sourcetype=barracuda 
              [ search index=mail sourcetype=sendmail_syslog msgid="<*@sfdc.net>" 
                | rex field=from "<(?<bcSender>.*)>" 
                | stats count as Total by bcSender 
                | fields bcSender 
                | format 
              ] 
              | stats count as Total by bcMsgId 
              | fields bcMsgId, bcSendAction 
            ]
          | stats count as Total by bcSendAction
          | rename bcSendAction as Action
          | replace 1 WITH "Success" , 2 WITH "Block" , 3 WITH "Deferral" IN Action
          | eval "Action"=Action." (".Total.")"

Answer 1

Include the field bcSendAction you need in your pie chart in your base | fields statement. Assume the base search runs in FAST mode. Any fields not explicitly called in the base will not be available to the post-process searches.