Re: Dashboard creation not working as expected

Abilan1 · ‎03-30-2016

Hi ,

I am trying to create the dashboard for the below query, but it is showing no results in dashboard. Am able to get the result when I do the search.

index=Test host=XXX "ABNUM" | map search="search source=$source$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

X-axis querySeconds and Y-axis Count of event

woodcock · ‎03-30-2016

The dollar-sign syntax is used both by map and by xml so you need to escape them (by doubling) for the XML parsing so they make it to map.

Try this:

index=Test host=XXX "ABNUM" | map search="search source=$$source$$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

Abilan1 · ‎03-30-2016

Hi,

It's not working If I use $$source$$. am getting zero results...

woodcock · ‎03-30-2016

It definitely should work (this is simple XML, right?)

See here for same second opinion:

https://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html

Abilan1 · ‎03-30-2016

It's not working for me. If I try with single $, am getting proper result in search but with $$source$$. am getting zero result only.

Dashboard creation not working as expected

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Dashboard creation not working as expected

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases