Search is waiting for input message caused by ldapsearch?

wnyricsplunk — Wed, 30 Sep 2020 01:10:34 GMT

I have created a dashboard which shows print jobs by Print Server/Printer/Time. I would like to include the actual name of the user instead of the sAMAccountName. I have added an ldapsearch to a "one-off" query and that works the way I expect.

sourcetype=xmlwineventlog EventCode=307 Computer="fqdnOfPrintServer" | fields UserData_Xml,ThreadID | xmlkv | eval Document=Param2,UserName=Param3,Workstation=Param4,Printer=Param5,IPAddress=Param6,Bytes=Param7,Pages=Param8 | search Printer=* | join type=inner Computer,ThreadID [search sourcetype=xmlwineventlog EventCode=805 | fields UserData_Xml,ThreadID | xmlkv | eval Copies=Copies] | eval TotalPages = Pages * Copies | ldapfilter search="(&(objectclass=user)(!(objectclass=computer))(samAccountName=$UserName$))" attrs="displayName" | table _time,displayName,Printer,Document,Workstation,Pages,Copies,TotalPages

When I put this query into my dashboard and substitute the tokens $host$ for the Print Server and $Printer$ for the printer name, I get a "search is waiting for input" message. From what I have read, this usually means an issue with a token. When I remove the ldapsearch part of the query it works fine but displays only the sAMAccountName. Is the issue the $Username$ token in the ldapsearch? I have tried removing the $ before and after UserName but then the search displays "No results found". Is there a way to mofify this to get the information I want?

<form theme="dark">
  <label>Print Jobs</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Print Servers</label>
      <choice value="*">All</choice>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>| inputlookup ServerRoles | WHERE Roles="Print-Server" | eval host=Name | sort host | table host</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="Printer" searchWhenChanged="true">
      <label>Printer</label>
      <choice value="*">All</choice>
      <fieldForLabel>Printer</fieldForLabel>
      <fieldForValue>Printer</fieldForValue>
      <search>
        <query>sourcetype=WinPrintMon | search host=$host$ | eval Printer = share | dedup Printer | sort Printer | table Printer</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="time" token="timetok" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>sourcetype=xmlwineventlog EventCode=307 Computer=$$host$$* | fields UserData_Xml,ThreadID | xmlkv | eval Document=Param2,UserName=Param3,Workstation=Param4,Printer=Param5,IPAddress=Param6,Bytes=Param7,Pages=Param8 | search Printer=$$Printer$$* | join type=inner Computer,ThreadID [search sourcetype=xmlwineventlog EventCode=805 | fields UserData_Xml,ThreadID | xmlkv | eval Copies=Copies] | eval TotalPages = Pages * Copies | ldapfilter search="(&amp;(objectclass=user)(!(objectclass=computer))(samAccountName=$UserName$))" attrs="displayName" | table  _time,UserName,displayName,Printer,Document,Workstation,Pages,Copies,TotalPages</query>
          <earliest>$timetok.earliest$</earliest>
          <latest>$timetok.latest$</latest>
          <refresh>30s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Re: Search is waiting for input message caused by ldapsearch?

renjith_nair — Wed, 03 Jul 2019 14:04:08 GMT

@wnyricsplunk,

Try escaping the $ with $$

ie.

samAccountName=$$UserName$$

Re: Search is waiting for input message caused by ldapsearch?

wnyricsplunk — Wed, 03 Jul 2019 14:17:16 GMT

It did change from waiting for input but now there are no results found.

Re: Search is waiting for input message caused by ldapsearch?

FrankVl — Wed, 03 Jul 2019 14:24:00 GMT

why do you use $$ for the host and printer tokens? That should be single $. Try it with single $ signs.

Re: Search is waiting for input message caused by ldapsearch?

wnyricsplunk — Wed, 03 Jul 2019 14:35:31 GMT

That did it! Thank you!!

Re: Search is waiting for input message caused by ldapsearch?

FrankVl — Wed, 03 Jul 2019 14:42:18 GMT

Good. So it was the combination of @renjith.nair his suggestion and mine that solved it? I've converted his comment to an answer, so you can mark it as accepted.

topic Re: Search is waiting for input message caused by ldapsearch? in Splunk Search

Search is waiting for input message caused by ldapsearch?

Re: Search is waiting for input message caused by ldapsearch?

Re: Search is waiting for input message caused by ldapsearch?

Re: Search is waiting for input message caused by ldapsearch?

Re: Search is waiting for input message caused by ldapsearch?

Re: Search is waiting for input message caused by ldapsearch?