Dashboards & Visualizations

Why is the "map" command not working in dashboard and the corresponding panel displays "Waiting for inputs"?

jayannah
Builder

Hi

I wanted to find the missing timestamp for consumer numbers. We are expected to receive the data for each consumer's number for every 1 hour. If there are no events for any of the consumer numbers for any hour, such consumer numbers and missing hour should be displayed.

The below query gives the correct result as expected. The output of the below query gives the consumer numbers and its missing time hour information.

     index="sm" sourcetype="sm"  | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no

I'm getting the following output as expected

                  Meter 1     31/08/2014 1:00
                              01/09/2014 13:00
                  Meter 2    29/08/2014  8:00
                             05/09/2014  12:00
                   Meter 3    05/09/2014  10:00
                             05/09/2014  15:00

Problem:

When saving the query into a dashboard, the same result is not displaying. I always see “waiting for inputs” in the corresponding panel in the dashboard and result never displays.

Can anyone help how to resolve this issue??

1 Solution

wpreston
Motivator

Try wrapping your variables in the map commands in two dollar signs ($$) instead of one. I think this has to do with Splunk's dashboards natively using the $ character for user defined variables. The dashboard is "waiting for input" because it is expecting $cn$ as a user variable rather than a variable of the map command. If you write your cn map variable as $$cn$$, it will be parsed in the search query as $cn$ and map will then be able to use it correctly. At least in theory. Try it out and let us know if this works for you:

index="sm" sourcetype="sm"  | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $$cn$$| timechart span=1h count | where count=0 | eval Consumer_no=$$cn$$"| convert ctime(_time) | stats values(_time) by Consumer_no

View solution in original post

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...