I wanted to find the missing timestamp for consumer numbers. We are expected to receive the data for each consumer's number for every 1 hour. If there are no events for any of the consumer numbers for any hour, such consumer numbers and missing hour should be displayed.
The below query gives the correct result as expected. The output of the below query gives the consumer numbers and its missing time hour information.
index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no
I'm getting the following output as expected
Meter 1 31/08/2014 1:00 01/09/2014 13:00 Meter 2 29/08/2014 8:00 05/09/2014 12:00 Meter 3 05/09/2014 10:00 05/09/2014 15:00
When saving the query into a dashboard, the same result is not displaying. I always see “waiting for inputs” in the corresponding panel in the dashboard and result never displays.
Can anyone help how to resolve this issue??
This should be incorporated in a form as the token you use should have default values at the start to display the results.
"waiting for input" means that the expected value of the
$cn$token to display the result,
In principle, therefore, you must have a dropdown for
try to check this and let me know.
The search has 2 parts.
part-1: index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn
part-2: map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumerno=$cn$"| convert ctime(time) | stats values(time) by Consumerno
The token values for $cn$ for the 2nd search comes from the 1st search.
The search query is to find the timestamps values for consumer missing for which the event is not received for particular hour. Actually part-1 is little bigger query and I made it simple here for the discussion as the primary concern here is, whatever works in the search query doesn't work after saving it into dashboard. Why?
Try wrapping your variables in the map commands in two dollar signs ($$) instead of one. I think this has to do with Splunk's dashboards natively using the $ character for user defined variables. The dashboard is "waiting for input" because it is expecting $cn$ as a user variable rather than a variable of the map command. If you write your cn map variable as $$cn$$, it will be parsed in the search query as $cn$ and map will then be able to use it correctly. At least in theory. Try it out and let us know if this works for you:
index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $$cn$$| timechart span=1h count | where count=0 | eval Consumer_no=$$cn$$"| convert ctime(_time) | stats values(_time) by Consumer_no
I'm also experiencing this issue. I attempted the above recommendation (double $s) instead of the regular (single $s) in the map variables. It didn't work for me, though it does produce a different error message: Error in 'map': Did not find value for required attribute 'foo' as opposed to the original "waiting for input". The query runs fine standalone, so I know (well, assume) that it's nothing in the query that's tripping me up.
I've stripped the query (inside the dashboard) down to the bones, so it looks like this:
index=foo | eval var="bar" | map search="search index=fubar $$var$$ "
This seems like it should work, based on your recommendation, but does not. If I hardcode bar (not quoted) in the map search, or use a dashboard form input variable ($var$) in the map search (again, not quoted), I get correct results. Thus, I'm pretty sure I'm getting bit by the variable substitution.
Any assistance (by anyone) would be appreciated.
I am also facing the same issue, If I use $$ am getting zero results and with $ am getting proper results. did you get any solution for this. Thanks!
I got it working with double $$ signs instead of one.
With double $$ sometimes works, sometimes doesn't.. Does anyone know how to solve this?