Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard creation not working as expected

Abilan1
Path Finder
‎03-30-2016 12:02 PM

Hi ,

I am trying to create the dashboard for the below query, but it is showing no results in dashboard. Am able to get the result when I do the search.

index=Test host=XXX "ABNUM" | map search="search source=$source$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

X-axis querySeconds and Y-axis Count of event

0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2016 12:14 PM

The dollar-sign syntax is used both by map and by xml so you need to escape them (by doubling) for the XML parsing so they make it to map.

Try this:

index=Test host=XXX "ABNUM" | map search="search source=$$source$$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"
Reply

Abilan1
Path Finder
‎03-30-2016 12:21 PM

Hi,

It's not working If I use $$source$$. am getting zero results...

0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2016 12:46 PM

It definitely should work (this is simple XML, right?)

See here for same second opinion:

https://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html

0 Karma
Reply

Abilan1
Path Finder
‎03-30-2016 12:51 PM

It's not working for me. If I try with single $, am getting proper result in search but with $$source$$. am getting zero result only.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...