Dashboards & Visualizations

Why is the search using map wont work in dashboard and gives the following error "search is waiting for input"?

gerald_contrera
Path Finder

Hi all,

Thank you in advance.

I have a search using map that works fine in search, but when i add it as a dashboard (whether i add it exactly the same or with other tokens for fields) is doesn't work and says " search is waiting for input"

I think it might have something to do with the time/timepicker

Search:

sourcetype="mcafee:wg:kv" src=10.42.61.130 dhost=*realtimeboard.com 
| eval mystarttime=_time-.1
| eval myendtime=_time+.1 
| map search="search sourcetype="mcafee:wg:kv" src=10.42.61.130 _time<$myendtime$ _time>$mystarttime$" 
| table 
    _time,MWG_Time_Log,host,action,rule,user,url,url_protocol,http_method,body,dhost,src,http_content_type 
| sort -_time

Dashboard XML Source - ignore all the other input tokens as the only one I'm using in the search is timepicker until I get it working.

<form>
  <label>MWG Connection Trace</label>
  <fieldset submitButton="false">
    <input type="time" token="tracetime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostselect" searchWhenChanged="true">
      <label>Search MWG/Domain</label>
      <choice value="*">All Domains</choice>
      <choice value="dmzmwg0*">PARLNET</choice>
      <default>*</default>
      <prefix>IN (</prefix>
      <suffix>)</suffix>
      <initialValue>*</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>| tstats dc(host) where sourcetype=mcafee:wg:kv by host</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="username" searchWhenChanged="true">
      <label>Enter Username for trace</label>
      <default>*</default>
      <prefix>*</prefix>
      <suffix>*</suffix>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="srcip" searchWhenChanged="true">
      <label>Source IP of Computer</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="radio" token="actionchoice" searchWhenChanged="true">
      <label>Rule Action Applied</label>
      <choice value="*">All</choice>
      <choice value="allowed">Allowed</choice>
      <choice value="blocked">Blocked</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="multiselect" token="rulefilter" searchWhenChanged="true">
      <label>Filter by Rule</label>
      <choice value="*">All Rules</choice>
      <default>*</default>
      <prefix>IN (</prefix>
      <suffix>)</suffix>
      <initialValue>*</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <fieldForLabel>rule</fieldForLabel>
      <fieldForValue>rule</fieldForValue>
      <search>
        <query>sourcetype=mcafee:wg:kv | dedup rule | table rule</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="searchoption" searchWhenChanged="true">
      <label>Enter URL/Domain to search- ## Do not use * wild card ##</label>
      <default></default>
      <prefix>*</prefix>
    </input>
    <input type="dropdown" token="searchby" searchWhenChanged="true">
      <label>Search by URL or Domain from text box search</label>
      <choice value="url">Search URL</choice>
      <choice value="dhost">Search Domain/dhost</choice>
      <default>url</default>
      <initialValue>url</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>sourcetype="mcafee:wg:kv" src=10.42.61.130 dhost=*realtimeboard.com 
| eval mystarttime=_time-.1
| eval myendtime=_time+.1 
| map search="search sourcetype="mcafee:wg:kv" src=10.42.61.130 _time&lt;$myendtime$ _time&gt;$mystarttime$" 
| table 
    _time,MWG_Time_Log,host,action,rule,user,url,url_protocol,http_method,body,dhost,src,http_content_type 
| sort -_time</query>
          <earliest>$tracetime.earliest$</earliest>
          <latest>$tracetime.latest$</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Thanks, any direction or help would be much appreciated.

Gerald

0 Karma
1 Solution

niketn
Legend

@gerald_contreras, following are the changes you need:

1) Inside map command double quotes would need to be escaped.
2) $ would need to be escaped inside map command
Try the following changes and confirm!

 <your_existing_search>
| map search="search sourcetype=\"mcafee:wg:kv\" src=10.42.61.130 _time<$$myendtime$$ _time>$$mystarttime$$
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@gerald_contreras, following are the changes you need:

1) Inside map command double quotes would need to be escaped.
2) $ would need to be escaped inside map command
Try the following changes and confirm!

 <your_existing_search>
| map search="search sourcetype=\"mcafee:wg:kv\" src=10.42.61.130 _time<$$myendtime$$ _time>$$mystarttime$$
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gerald_contrera
Path Finder

Thank you niketnilay,

Yes this has worked.

Brilliant.

Thank you very much

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...