I have created a dashboard panel of Active Directory that shows the successful logins of Non EU accounts for last 24 hours. It shows me the output when I create it but when I save it as a dash board panel it does not show any output. It shows the warning sign saying "search is waiting for input...".
Any help regarding this would be much appreciated.
thanks
I just ran into this issue with a new dashboard and eventually pinned it down to the fact that the token i had set in my dropdown was not being populated into the request query string, so the search couldn't find it.
The solution was to refresh the dashboard.
Don't use '&' in the search but use instead the escaped characters:
http://stackoverflow.com/questions/1091945/what-characters-do-i-need-to-escape-in-xml-documents
No need to point to other sites 😉 you can use this answer
https://answers.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards.html
or the docs
In both cases ,it looks like there are dollar signs ($) in the search string. You need to escape them with a second one ($$) in order to avoid the message. otherwise Splunk thinks everything after the $ is a variable (that hasn't been populated)
Like the first answer suggests, it might be an issue with the XML seeing an unset token; looks like the source is your search string. I'm not sure if that is an expected result of including $ in your searches, or if it's a bug, so hopefully someone else can clarify. You should be able to work around it by changing your search string to have double $'s. It won't work in the search, but it will work in the dashboard. IE:
<searchString>index = windows NOT Account_Name="*$$" Account_Domain != - AND Account_Domain != EU EventCode=4634 | stats count by Account_Domain , Account_Name</searchString>
<searchString>index=windows EventCode=4624 | mvexpand Account_Name | mvexpand Account_Domain | search Account_Name!="*$$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$$" Account_Name !="-" Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
<searchString>index=windows EventCode=4624 | mvexpand Account_Name | mvexpand Account_Domain | search Account_Name!="*$$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$$" Account_Name !="-" Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
"I'm not sure if that is an expected result of including $ in your searches" the case is to pass variable in a new search
| map search="search $uid$" | ...
Hi, It is still not working. Actually I have 4 dashboard panels of Active Directory but only two are showing information. And two are waiting for input. The source code of form view is given below:
AD Auth Report
Passed Logins
<input type="multiselect" searchWhenChanged="true" token="mv5">
<default>[object Object]</default>
</input>
<panel>
<table>
<title>Passed Logins</title>
<searchString>index = windows NOT Account_Name="*$" Account_Domain != - AND Account_Domain != EU EventCode=4634 | stats count by Account_Domain , Account_Name</searchString>
</table>
</panel>
<panel>
<event>
<title>Passed Non EU Account</title>
<searchString>index=windows EventCode=4624 | mvexpand Account_Name | mvexpand Account_Domain | search Account_Name!="*$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$" Account_Name !="-" Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
<earliestTime>-24h@h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">0</option>
<option name="dataOverlayMode">none</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="count">10</option>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
<panel>
<table>
<title>Failed User Logon in last 24 Hrs</title>
<searchString>index=windows EventCode=4625 | rex "(?ms)Failure Information.+?Failure Reason:\s+(?<failure_information>\V+)" | stats count by ComputerName , Workstation_Name, user , Source_Network_Address, failure_information, signature | sort -count</searchString>
<earliestTime>-24h@h</earliestTime>
<latestTime>now</latestTime>
</table>
</panel>
<panel>
<event>
<title>Passed Non EU Accounts</title>
<searchName>Passed Non EU Accounts</searchName>
<searchString>index=windows EventCode=4624 | mvexpand Account_Name | mvexpand Account_Domain | search Account_Name!="*$" NOT Account_Name = "#*" Account_Domain != EU Account_Domain != NT* NOT Account_Name = "*$" Account_Name !="-" Account_Domain !="-" | stats count by Account_Name , Account_Domain</searchString>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="count">10</option>
<fields>["host","source","sourcetype"]</fields>
</event>
</panel>
Was there a solution to this question?
I too am having this issue. I can run the search in a search window, however if I add the same search as a panel in a dashboard (new or existing) I get the "search is waiting for input" message.
My search is:
index="genband-cdr" AM00SBC07 OR AM00SBC08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |rename S3_call_dest_custid AS PTSID S3_call_error2 AS Error| table PTSID, Error"
This happens when you have a token in your view which is not set, like having an input form with a token "host" (called $host$ in the xml code) and never set in your view
Double check your code and token you are using in your input forms (pulldown, multiselect...)
@ppapblo
I see, i didn't realized 🙂 tks!
@guilmxm
Just suspended and removed all posts by the user leetistur that you downvoted for their google answer 😛 They were a spammer