Dashboards & Visualizations

How to get rid of warning sign "search is waiting for input ..." and display the data in dashboard panel?

asharjaved
Engager

I have created a dashboard panel of Active Directory that shows the successful logins of Non EU accounts for last 24 hours. It shows me the output when I create it but when I save it as a dash board panel it does not show any output. It shows the warning sign saying "search is waiting for input...".

Any help regarding this would be much appreciated.

thanks

Tags (2)

declanshanaghy
Explorer

I just ran into this issue with a new dashboard and eventually pinned it down to the fact that the token i had set in my dropdown was not being populated into the request query string, so the search couldn't find it.

The solution was to refresh the dashboard.

daniel_augustyn
Contributor

Don't use '&' in the search but use instead the escaped characters:

http://stackoverflow.com/questions/1091945/what-characters-do-i-need-to-escape-in-xml-documents

MuS
SplunkTrust
SplunkTrust
0 Karma

alaorath
Path Finder

In both cases ,it looks like there are dollar signs ($) in the search string. You need to escape them with a second one ($$) in order to avoid the message. otherwise Splunk thinks everything after the $ is a variable (that hasn't been populated)

bwheelock
Path Finder

Like the first answer suggests, it might be an issue with the XML seeing an unset token; looks like the source is your search string. I'm not sure if that is an expected result of including $ in your searches, or if it's a bug, so hopefully someone else can clarify. You should be able to work around it by changing your search string to have double $'s. It won't work in the search, but it will work in the dashboard. IE:

<searchString>index = windows  NOT Account_Name="*$$" Account_Domain != - AND Account_Domain != EU  EventCode=4634 | stats count by Account_Domain , Account_Name</searchString>

<searchString>index=windows EventCode=4624   | mvexpand Account_Name   | mvexpand Account_Domain   | search Account_Name!="*$$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$$" Account_Name !="-"  Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>

<searchString>index=windows EventCode=4624   | mvexpand Account_Name   | mvexpand Account_Domain   | search Account_Name!="*$$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$$" Account_Name !="-"  Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>

yuraminsk
Engager

"I'm not sure if that is an expected result of including $ in your searches" the case is to pass variable in a new search
| map search="search $uid$" | ...

0 Karma

ashari
Explorer

Hi, It is still not working. Actually I have 4 dashboard panels of Active Directory but only two are showing information. And two are waiting for input. The source code of form view is given below:

AD Auth Report
Passed Logins

<input type="multiselect" searchWhenChanged="true" token="mv5">
  <default>[object Object]</default>
</input>


<panel>
  <table>
    <title>Passed Logins</title>
    <searchString>index = windows  NOT Account_Name="*$" Account_Domain != - AND Account_Domain != EU  EventCode=4634 | stats count by Account_Domain , Account_Name</searchString>
  </table>
</panel>


<panel>
  <event>
    <title>Passed Non EU Account</title>
    <searchString>index=windows EventCode=4624   | mvexpand Account_Name   | mvexpand Account_Domain   | search Account_Name!="*$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$" Account_Name !="-"  Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
    <earliestTime>-24h@h</earliestTime>
    <latestTime>now</latestTime>
    <option name="wrap">true</option>
    <option name="rowNumbers">0</option>
    <option name="dataOverlayMode">none</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="count">10</option>
    <fields>["host","source","sourcetype"]</fields>        
  </event>
</panel>


<panel>
  <table>
    <title>Failed User Logon in last 24 Hrs</title>
    <searchString>index=windows  EventCode=4625    | rex "(?ms)Failure Information.+?Failure Reason:\s+(?&lt;failure_information&gt;\V+)" | stats count by ComputerName , Workstation_Name, user , Source_Network_Address, failure_information, signature | sort -count</searchString>
    <earliestTime>-24h@h</earliestTime>
    <latestTime>now</latestTime>
  </table>
</panel>


<panel>
  <event>
    <title>Passed Non EU Accounts</title>
    <searchName>Passed Non EU Accounts</searchName>
     <searchString>index=windows EventCode=4624   | mvexpand Account_Name   | mvexpand Account_Domain   | search Account_Name!="*$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$" Account_Name !="-"  Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
     <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <option name="count">10</option>
    <fields>["host","source","sourcetype"]</fields>
  </event>
</panel>
0 Karma

lennys26
Communicator

Was there a solution to this question?

I too am having this issue. I can run the search in a search window, however if I add the same search as a panel in a dashboard (new or existing) I get the "search is waiting for input" message.

My search is:

    index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |rename S3_call_dest_custid AS PTSID S3_call_error2 AS Error| table PTSID, Error"
0 Karma

guilmxm
SplunkTrust
SplunkTrust

This happens when you have a token in your view which is not set, like having an input form with a token "host" (called $host$ in the xml code) and never set in your view
Double check your code and token you are using in your input forms (pulldown, multiselect...)

guilmxm
SplunkTrust
SplunkTrust

@ppapblo

I see, i didn't realized 🙂 tks!

0 Karma

ppablo
Retired

@guilmxm

Just suspended and removed all posts by the user leetistur that you downvoted for their google answer 😛 They were a spammer

0 Karma

guilmxm
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...