The host input dropdown in the Netskope App shows an error that it "Cound not create search.".
By looking at the dashboard xml source we observe:
<label>Host Input</label> <default>*</default> <choice value="*">All</choice> <search> <query>| `netskope_configured_inputs`</query> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search>
If we remove the leading pipe (|) from the query the error is gone.
The dropdown will now show the FQDN of the Netskope server which feeds the events. I'm wondering if this is the expected behavior. I would have expected to see the computer names under this dropdown.
v1.1.0 and v1.0.5 do contain this bug. The macro behind the dropdown was reconfigured, but this dropdown was missed. Look for a new maintenance release to fix this.
The app will also change from "Host Input" to something more clear, as it was intended to be the source Netskope tenant.
The macro should be changed to:
[netskope_configured_inputs] definition = tstats count where sourcetype=netskope:* by host | fields host