Hi
I wanted to find the missing timestamp for consumer numbers. We are expected to receive the data for each consumer's number for every 1 hour. If there are no events for any of the consumer numbers for any hour, such consumer numbers and missing hour should be displayed.
The below query gives the correct result as expected. The output of the below query gives the consumer numbers and its missing time hour information.
index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no
I'm getting the following output as expected
Meter 1 31/08/2014 1:00
01/09/2014 13:00
Meter 2 29/08/2014 8:00
05/09/2014 12:00
Meter 3 05/09/2014 10:00
05/09/2014 15:00
Problem:
When saving the query into a dashboard, the same result is not displaying. I always see “waiting for inputs” in the corresponding panel in the dashboard and result never displays.
Can anyone help how to resolve this issue??
Try wrapping your variables in the map commands in two dollar signs ($$) instead of one. I think this has to do with Splunk's dashboards natively using the $ character for user defined variables. The dashboard is "waiting for input" because it is expecting $cn$ as a user variable rather than a variable of the map command. If you write your cn map variable as $$cn$$, it will be parsed in the search query as $cn$ and map will then be able to use it correctly. At least in theory. Try it out and let us know if this works for you:
index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $$cn$$| timechart span=1h count | where count=0 | eval Consumer_no=$$cn$$"| convert ctime(_time) | stats values(_time) by Consumer_no