Dashboards & Visualizations

Why is the "map" command not working in dashboard and the corresponding panel displays "Waiting for inputs"?

jayannah
Builder

Hi

I wanted to find the missing timestamp for consumer numbers. We are expected to receive the data for each consumer's number for every 1 hour. If there are no events for any of the consumer numbers for any hour, such consumer numbers and missing hour should be displayed.

The below query gives the correct result as expected. The output of the below query gives the consumer numbers and its missing time hour information.

     index="sm" sourcetype="sm"  | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no

I'm getting the following output as expected

                  Meter 1     31/08/2014 1:00
                              01/09/2014 13:00
                  Meter 2    29/08/2014  8:00
                             05/09/2014  12:00
                   Meter 3    05/09/2014  10:00
                             05/09/2014  15:00

Problem:

When saving the query into a dashboard, the same result is not displaying. I always see “waiting for inputs” in the corresponding panel in the dashboard and result never displays.

Can anyone help how to resolve this issue??

1 Solution

wpreston
Motivator

Try wrapping your variables in the map commands in two dollar signs ($$) instead of one. I think this has to do with Splunk's dashboards natively using the $ character for user defined variables. The dashboard is "waiting for input" because it is expecting $cn$ as a user variable rather than a variable of the map command. If you write your cn map variable as $$cn$$, it will be parsed in the search query as $cn$ and map will then be able to use it correctly. At least in theory. Try it out and let us know if this works for you:

index="sm" sourcetype="sm"  | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $$cn$$| timechart span=1h count | where count=0 | eval Consumer_no=$$cn$$"| convert ctime(_time) | stats values(_time) by Consumer_no

View solution in original post

wpreston
Motivator

Try wrapping your variables in the map commands in two dollar signs ($$) instead of one. I think this has to do with Splunk's dashboards natively using the $ character for user defined variables. The dashboard is "waiting for input" because it is expecting $cn$ as a user variable rather than a variable of the map command. If you write your cn map variable as $$cn$$, it will be parsed in the search query as $cn$ and map will then be able to use it correctly. At least in theory. Try it out and let us know if this works for you:

index="sm" sourcetype="sm"  | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $$cn$$| timechart span=1h count | where count=0 | eval Consumer_no=$$cn$$"| convert ctime(_time) | stats values(_time) by Consumer_no

jakehechang
New Member

Man you just saved my life!

0 Karma

morethanyell
Builder

Life saver

0 Karma

highsplunker
Contributor

I had problems at first.
But it's OK now for:

... | table file_name
| map file_name search="
| inputlookup $$file_name$$
"

0 Karma

wbcem
Explorer

I'm also experiencing this issue. I attempted the above recommendation (double $s) instead of the regular (single $s) in the map variables. It didn't work for me, though it does produce a different error message: Error in 'map': Did not find value for required attribute 'foo' as opposed to the original "waiting for input". The query runs fine standalone, so I know (well, assume) that it's nothing in the query that's tripping me up.

I've stripped the query (inside the dashboard) down to the bones, so it looks like this:

index=foo | eval var="bar" | map search="search index=fubar $$var$$ "

This seems like it should work, based on your recommendation, but does not. If I hardcode bar (not quoted) in the map search, or use a dashboard form input variable ($var$) in the map search (again, not quoted), I get correct results. Thus, I'm pretty sure I'm getting bit by the variable substitution.

Any assistance (by anyone) would be appreciated.

Abilan1
Path Finder

I am also facing the same issue, If I use $$ am getting zero results and with $ am getting proper results. did you get any solution for this. Thanks!

jagadeeshm
Contributor

Any solutions for this issue?

jagadeeshm
Contributor

I got it working with double $$ signs instead of one.

0 Karma

pamcarvalho
Path Finder

With double $$ sometimes works, sometimes doesn't.. Does anyone know how to solve this?

0 Karma

gyslainlatsa
Motivator

hi jayannah,
This should be incorporated in a form as the token you use should have default values at the start to display the results.
"waiting for input" means that the expected value of the $cn$token to display the result,
In principle, therefore, you must have a dropdown for cn values
try to check this and let me know.

0 Karma

jayannah
Builder

The search has 2 parts.
part-1: index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn
part-2: map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no

The token values for $cn$ for the 2nd search comes from the 1st search.

The search query is to find the timestamps values for consumer missing for which the event is not received for particular hour. Actually part-1 is little bigger query and I made it simple here for the discussion as the primary concern here is, whatever works in the search query doesn't work after saving it into dashboard. Why?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...