Dashboards & Visualizations

Why am I getting a "Search is waiting for input" message on my dashboard panel?

HCadmins
Communicator

Hi Splunkers!

I am getting "Search is waiting for input..." on one of my dashboard panels. Based on reading other Splunk Answers it seems there may be malformed XML. I used the pivot builder for this, so I am not sure where the issue is. Any help would be appreciated.

<row>
    <panel>
      <chart>
        <title>UCS / VMware Overlay</title>
        <search>
          <query>(index=* OR index=_*) ((source=cisco:ucs:faultInst*) OR (sourcetype=vmware:esxlog*))  | rename Application AS EventObject.Application CPU AS EventObject.CPU CPU_Message AS EventObject.CPU_Message Cpu AS EventObject.Cpu Level AS EventObject.Level Message AS EventObject.Message Object AS EventObject.Object Offset AS EventObject.Offset Type AS EventObject.Type VM AS EventObject.VM WorldId AS EventObject.WorldId accessGenNo AS EventObject.accessGenNo address AS EventObject.address app AS EventObject.app args AS EventObject.args arguments AS EventObject.arguments body AS EventObject.body cc AS EventObject.cc chainId AS EventObject.chainId changeTag AS EventObject.changeTag clnPwrOff AS EventObject.clnPwrOff code AS EventObject.code computeResource AS EventObject.computeResource config_version AS EventObject.config_version createdTime AS EventObject.createdTime curBytes AS EventObject.curBytes curPowerOnCount AS EventObject.curPowerOnCount curPwrState AS EventObject.curPwrState datacenter AS EventObject.datacenter date_hour AS EventObject.date_hour date_mday AS EventObject.date_mday date_minute AS EventObject.date_minute date_month AS EventObject.date_month date_second AS EventObject.date_second date_wday AS EventObject.date_wday date_year AS EventObject.date_year date_zone AS EventObject.date_zone defaults AS EventObject.defaults descr AS EventObject.descr description AS EventObject.description dest AS EventObject.dest details AS EventObject.details dn AS EventObject.dn ds AS EventObject.ds dvs AS EventObject.dvs dynamicType AS EventObject.dynamicType enabled AS EventObject.enabled encoding AS EventObject.encoding eventTypeId AS EventObject.eventTypeId eventtype AS EventObject.eventtype explanation AS EventObject.explanation fault AS EventObject.fault faultCause AS EventObject.faultCause fileOwner AS EventObject.fileOwner fileSize AS EventObject.fileSize fileType AS EventObject.fileType fullFormattedMessage AS EventObject.fullFormattedMessage group AS EventObject.group handshakeTimeoutUs AS EventObject.handshakeTimeoutUs hostId AS EventObject.hostId hostReporting AS EventObject.hostReporting host_list_version AS EventObject.host_list_version id AS EventObject.id index AS EventObject.index ioSizeBytes AS EventObject.ioSizeBytes isolated AS EventObject.isolated key AS EventObject.key linecount AS EventObject.linecount master AS EventObject.master matchPattern AS EventObject.matchPattern maxObjectUpdates AS EventObject.maxObjectUpdates maxWaitSeconds AS EventObject.maxWaitSeconds message AS EventObject.message modification AS EventObject.modification msg AS EventObject.msg name AS EventObject.name needsUnregister AS EventObject.needsUnregister net AS EventObject.net newPwrState AS EventObject.newPwrState oIO AS EventObject.oIO objectId AS EventObject.objectId objectName AS EventObject.objectName objectType AS EventObject.objectType opID AS EventObject.opID powerInfo AS EventObject.powerInfo prevBytes AS EventObject.prevBytes prevCommands AS EventObject.prevCommands punct AS EventObject.punct query AS EventObject.query rc AS EventObject.rc returnoutput AS EventObject.returnoutput searchCaseInsensitive AS EventObject.searchCaseInsensitive service AS EventObject.service severity AS EventObject.severity soapenc AS EventObject.soapenc soapenv AS EventObject.soapenv sortFoldersFirst AS EventObject.sortFoldersFirst splunk_server AS EventObject.splunk_server src AS EventObject.src startAction AS EventObject.startAction startDelay AS EventObject.startDelay startOrder AS EventObject.startOrder state AS EventObject.state stopAction AS EventObject.stopAction stopDelay AS EventObject.stopDelay subject AS EventObject.subject system_name AS EventObject.system_name tag AS EventObject.tag tag::eventtype AS EventObject.tag::eventtype timeendpos AS EventObject.timeendpos timeout AS EventObject.timeout timestamp AS EventObject.timestamp timestartpos AS EventObject.timestartpos type AS EventObject.type user AS EventObject.user userName AS EventObject.userName val AS EventObject.val value AS EventObject.value version AS EventObject.version versionId AS EventObject.versionId vm AS EventObject.vm vmDowntime AS EventObject.vmDowntime vmPrecopyBandwidth AS EventObject.vmPrecopyBandwidth vmPrecopyStunTime AS EventObject.vmPrecopyStunTime vm_metadata_version AS EventObject.vm_metadata_version waitForHeartbeat AS EventObject.waitForHeartbeat worldID AS EventObject.worldID x3a AS EventObject.x3a x480 AS EventObject.x480 x481 AS EventObject.x481 x482 AS EventObject.x482 x483 AS EventObject.x483 x484 AS EventObject.x484 x485 AS EventObject.x485 x486 AS EventObject.x486 x487 AS EventObject.x487 x488 AS EventObject.x488 x489 AS EventObject.x489 x48a AS EventObject.x48a x48b AS EventObject.x48b x48c AS EventObject.x48c x48d AS EventObject.x48d x48e AS EventObject.x48e x48f AS EventObject.x48f x490 AS EventObject.x490 x491 AS EventObject.x491 xc0010114 AS EventObject.xc0010114 xce AS EventObject.xce xmlns AS EventObject.xmlns xsd AS EventObject.xsd xsi AS EventObject.xsi | eval "host"='host', "_time"='_time' | timechart dedup_splitvals=t limit=100 useother=t count AS "Count of Events (Warning or higher)"  by "host" format=$VAL$:::$AGG$ | sort limit=100 _time | fields _time *</query>
          <earliest>rt-24h</earliest>
          <latest>rt</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Count of Events (Warning or higher)</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">10.10.10.15</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

A quick look over the search shows in timechart the option format=$VAL$:::$AGG$ ; where is $VAL$ and $AGG$ coming from?

cheers, MuS

View solution in original post

thiagodede
Explorer

Since you create the search from the Pivot, the splunk used TOKENS on the generated search to enable you use the filters avaliables on the Pivot.

Once you extracted the search and used with remove the TOKENS, the dashboard was waiting the TOKENs being filled with a value to execute the search.

Every time you use a TOKEN on a search and this TOKEN is not set, the search will return the message "Search is waiting for input.."

0 Karma

MuS
SplunkTrust
SplunkTrust

A quick look over the search shows in timechart the option format=$VAL$:::$AGG$ ; where is $VAL$ and $AGG$ coming from?

cheers, MuS

HCadmins
Communicator

I removed it and things seem to be working. I wonder why that was there.

0 Karma

MuS
SplunkTrust
SplunkTrust

I just converted the comment to an answer, feel free to accept it if it answered your question. cheers, MuS

HCadmins
Communicator

Okay I found out what format=$VAL$:::$AGG$ is, and I actually need it.

It's the chart overlay values, which I need to keep (see screenshot).

alt text

0 Karma

MuS
SplunkTrust
SplunkTrust

Can you post the complete dashboard XML please?

0 Karma

HCadmins
Communicator
<dashboard>
  <label>Cloud Ops</label>
  <description>Created by Adam</description>
  <row>
    <panel>
      <html>
        <div style="background-color:#00aeef; font-family: Georgia, serif; letter-spacing: 2px; color:#fff; padding:10px; border-radius:5px; border: 1px solid #6d6e71; font-size:20em;">
          <center>
            <h1>CLOUD OPS</h1>
          </center>
        </div>
    </html>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>UCS / VMware Overlay</title>
        <search>
          <query>(index=* OR index=_*) ((index=* OR index=_*) ((source=cisco:ucs:faultInst* severity=critical) OR (sourcetype=vmware:esxlog* error NOT warning)))  | rename Message AS EventObject.Message Type AS EventObject.Type index AS EventObject.index linecount AS EventObject.linecount reason AS EventObject.reason severity AS EventObject.severity splunk_server AS EventObject.splunk_server | eval "host"='host', "_time"='_time' | timechart dedup_splitvals=t limit=100 useother=t count AS "Critical / Error Messages"  by "host" | sort limit=100 _time | fields _time *</query>
          <earliest>rt-24h</earliest>
          <latest>rt</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Count of Events (Warning or higher)</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">10.10.10.15</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>VPN Authentication</title>
      <table>
        <title>Hosting VPN Auth Failures, Last 24 Hours</title>
        <search>
          <query>host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | rex field=_raw "^\S+\s(?&lt;Customer&gt;\S+)"| eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp Customer | rename user as "User", name as "Reason" | eval Customer=case(Customer="portal","Main Firewall", Customer="portal-1","Main Firewall",Customer="ohfl","Orlando", Customer="quhi","Queens",Customer="chks","Children's Health Assoc.",Customer="mhnc","Mission",Customer="mgms","Gulfport",Customer="ocvt","OneCare",Customer="maca","MedAmerica",Customer="uttx","U. of Texas",Customer="adny","Adirondacks",Customer="cafe","CAFE",Customer="kuks","U. of Kansas",Customer="SLC-HOSTING-FW01","Hosting FW",Customer="uppa","U. of Pittsburgh",true(),"-")</query>
          <earliest>rt-24h</earliest>
          <latest>rtnow</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <title>AD Authentication</title>
      <table>
        <title>AD Auth Failures Above 3, Last 24 Hours</title>
        <search>
          <query>index=wineventlog Account_Domain=* ("EventCode=4625" OR "EventCode=4740") | head 10 | stats count count(eval(EventCode=4740)) as LockedCount by user Account_Domain | search count&gt;3 | eval Locked=if(LockedCount&gt;1, "yes", "no")  | table user count Account_Domain Locked | rename user as "User" count as "Failed Authentication Attempts" Account_Domain as "Domain"</query>
          <earliest>rt-24h</earliest>
          <latest>rt</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <title>VM Alarms</title>
      <table>
        <title>VM Alarms "RED", 30 Minute Window</title>
        <search>
          <query>sourcetype="vmware:events" alarm.name=* | head 10 | eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p") | spath to | search to=* | spath alarm.name output=alarm | spath vm.name output=vm_name | spath vm.vm.moid output=vm_moid | search host=* | stats first(to) as cur_status by Timestamp alarm vm_name | search cur_status="red" | rename alarm as Alarm, vm_name as VM, cur_status as Status</query>
          <earliest>rt-30m</earliest>
          <latest>rt</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>UCS Critical</title>
      <table>
        <title>UCS Critical Alerts, Last 24 Hours</title>
        <search>
          <query>source=cisco:ucs:faultInst ("critical" OR "severe" OR "major") NOT "security" | head 10 | eval Time=_time | convert ctime(Time) | table Time severity descr | rename severity as Severity, descr as Message</query>
          <earliest>rt-24h</earliest>
          <latest>rtnow</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

MuS
SplunkTrust
SplunkTrust

Okay, but here is the format=$VAL$:::$AGG$ missing and therefore it works. You need to change the format option to this format=$$VAL$$:::$$AGG$$ in your timechart chart in the dashboard and it works - at least it worked for me on Splunk 6.5 😉

cheers, MuS

0 Karma

HCadmins
Communicator

Sorry, I copied/pasted the working XML.

I just rebuilt the panel and it's no working again. Here is the full XML. The top panel (Cisco / VMware overlay) is the one that is "waiting for input."

<dashboard>
  <label>Cloud Ops</label>
  <description>Created by Adam</description>
  <row>
    <panel>
      <html>
        <div style="background-color:#00aeef; font-family: Georgia, serif; letter-spacing: 2px; color:#fff; padding:10px; border-radius:5px; border: 1px solid #6d6e71; font-size:20em;">
          <center>
            <h1>CLOUD OPS</h1>
          </center>
        </div>
    </html>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>VMware / Cisco Overlay</title>
        <search>
          <query>(index=* OR index=_*) ((index=* OR index=_*) ((index=* OR index=_*) ((source=cisco:ucs:faultInst* severity=critical) OR (sourcetype=vmware:esxlog* error NOT warning))))  | rename Application AS EventObject.Application Level AS EventObject.Level Message AS EventObject.Message Object AS EventObject.Object Offset AS EventObject.Offset Vpxa AS EventObject.Vpxa ack AS EventObject.ack address AS EventObject.address app AS EventObject.app arg AS EventObject.arg body AS EventObject.body cType AS EventObject.cType cause AS EventObject.cause changeSet AS EventObject.changeSet code AS EventObject.code created AS EventObject.created date_hour AS EventObject.date_hour date_mday AS EventObject.date_mday date_minute AS EventObject.date_minute date_month AS EventObject.date_month date_second AS EventObject.date_second date_wday AS EventObject.date_wday date_year AS EventObject.date_year date_zone AS EventObject.date_zone descr AS EventObject.descr description AS EventObject.description dest AS EventObject.dest dn AS EventObject.dn dynamicType AS EventObject.dynamicType eventtype AS EventObject.eventtype explanation AS EventObject.explanation faultCause AS EventObject.faultCause faultMessage AS EventObject.faultMessage highestSeverity AS EventObject.highestSeverity id AS EventObject.id index AS EventObject.index key AS EventObject.key lastTransition AS EventObject.lastTransition lc AS EventObject.lc linecount AS EventObject.linecount message AS EventObject.message msg AS EventObject.msg occur AS EventObject.occur opID AS EventObject.opID origSeverity AS EventObject.origSeverity prevSeverity AS EventObject.prevSeverity punct AS EventObject.punct reason AS EventObject.reason rule AS EventObject.rule severity AS EventObject.severity site AS EventObject.site splunk_server AS EventObject.splunk_server src AS EventObject.src subject AS EventObject.subject system_name AS EventObject.system_name tag AS EventObject.tag tag::eventtype AS EventObject.tag::eventtype tags AS EventObject.tags timeendpos AS EventObject.timeendpos timestamp AS EventObject.timestamp timestartpos AS EventObject.timestartpos type AS EventObject.type user AS EventObject.user | eval "host"='host', "_time"='_time' | timechart dedup_splitvals=t limit=100 useother=t count AS "Errors by Host"  by "host" format=$VAL$:::$AGG$ | sort limit=100 _time | fields _time *</query>
          <earliest>rt-24h</earliest>
          <latest>rt</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Errors by Host</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="charting.chart.overlayFields">10.10.10.15</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>VPN Authentication</title>
      <table>
        <title>Hosting VPN Auth Failures, Last 24 Hours</title>
        <search>
          <query>host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | rex field=_raw "^\S+\s(?&lt;Customer&gt;\S+)"| eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp Customer | rename user as "User", name as "Reason" | eval Customer=case(Customer="portal","Main Firewall", Customer="portal-1","Main Firewall",Customer="ohfl","Orlando", Customer="quhi","Queens",Customer="chks","Children's Health Assoc.",Customer="mhnc","Mission",Customer="mgms","Gulfport",Customer="ocvt","OneCare",Customer="maca","MedAmerica",Customer="uttx","U. of Texas",Customer="adny","Adirondacks",Customer="cafe","CAFE",Customer="kuks","U. of Kansas",Customer="SLC-HOSTING-FW01","Hosting FW",Customer="uppa","U. of Pittsburgh",true(),"-")</query>
          <earliest>rt-24h</earliest>
          <latest>rtnow</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <title>AD Authentication</title>
      <table>
        <title>AD Auth Failures Above 3, Last 24 Hours</title>
        <search>
          <query>index=wineventlog Account_Domain=* ("EventCode=4625" OR "EventCode=4740") | head 10 | stats count count(eval(EventCode=4740)) as LockedCount by user Account_Domain | search count&gt;3 | eval Locked=if(LockedCount&gt;1, "yes", "no")  | table user count Account_Domain Locked | rename user as "User" count as "Failed Authentication Attempts" Account_Domain as "Domain"</query>
          <earliest>rt-24h</earliest>
          <latest>rt</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <title>VM Alarms</title>
      <table>
        <title>VM Alarms "RED", 30 Minute Window</title>
        <search>
          <query>sourcetype="vmware:events" alarm.name=* | head 10 | eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p") | spath to | search to=* | spath alarm.name output=alarm | spath vm.name output=vm_name | spath vm.vm.moid output=vm_moid | search host=* | stats first(to) as cur_status by Timestamp alarm vm_name | search cur_status="red" | rename alarm as Alarm, vm_name as VM, cur_status as Status</query>
          <earliest>rt-30m</earliest>
          <latest>rt</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>UCS Critical</title>
      <table>
        <title>UCS Critical Alerts, Last 24 Hours</title>
        <search>
          <query>source=cisco:ucs:faultInst ("critical" OR "severe" OR "major") NOT "security" | head 10 | eval Time=_time | convert ctime(Time) | table Time severity descr | rename severity as Severity, descr as Message</query>
          <earliest>rt-24h</earliest>
          <latest>rtnow</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, it breaks because you are still using format=$VAL$:::$AGG$ instead of format=$$VAL$$:::$$AGG$$ in the timechart 😉

0 Karma

HCadmins
Communicator

Could you help me understand why that fixed it?

0 Karma

MuS
SplunkTrust
SplunkTrust

Of course:

  • using $VAL$ in a dashboard is a token, which Splunk tries to replace before a search starts
  • using $$VAL$$ is telling Splunk to not replace the $VAL$ with a token and use the literal $VAL$ in the search, it is like escaping the $.

Hope that makes sense ...

cheers, MuS

HCadmins
Communicator

That's a good question. I don't know. It was generated by the Pivot feature in Splunk.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...