Dashboard creation not working as expected - Splunk Community

Dashboards & Visualizations

Hi ,

I am trying to create the dashboard for the below query, but it is showing no results in dashboard. Am able to get the result when I do the search.

index=Test host=XXX "ABNUM" | map search="search source=$source$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

X-axis querySeconds and Y-axis Count of event

The dollar-sign syntax is used both by map and by xml so you need to escape them (by doubling) for the XML parsing so they make it to map.

Try this:

index=Test host=XXX "ABNUM" | map search="search source=$$source$$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

Hi,

It's not working If I use $$source$$. am getting zero results...

It definitely should work (this is simple XML, right?)

See here for same second opinion:

https://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html

It's not working for me. If I try with single $, am getting proper result in search but with $$source$$. am getting zero result only.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...