Solved: Splunk Dashboard - search is waiting for inputs

ashrafsj · ‎09-15-2020

Hi All,

I hope someone could help, search is waiting for inputs when I try to first load the dashboard and even search doesn't work.

<form hideAppBar="false" hideEdit="false" hideFooter="true" hideSplunkBar="false" hideTitle="false">
<label>Activity by ID or IP ADDRESS</label>

<fieldset submitButton="true" autoRun="false">
<input type="text" token="id" searchWhenChanged="false">
<label>ID</label>
<default></default>
</input>
<input type="text" token="ip_address" searchWhenChanged="true">
<label>IP Address</label>
</input>
<input type="dropdown" token="timespan" searchWhenChanged="true">
<label>Previous Days</label>
<choice value="7">7</choice>
<choice value="14">14</choice>
<choice value="30">30</choice>
<choice value="60">60</choice>
<choice value="90">90</choice>
<choice value="120">120</choice>
<choice value="180">180</choice>
<choice value="9999">All</choice>
<default>30</default>
<initialValue>30</initialValue>
</input>
</fieldset>
<search id="baseSearch">
<query>| dbxquery connection=XXX maxrows=2000 query="select \"timeLoRes\" as ACTIVITY_TIMESTAMP,
\"category\",\"applicationId\",\"userId\",\"action\",\"action2\",\"action3\",\"policyId\",\"policyVersionId\",\"deviceId\",\"deviceHardwareId\",\"deviceOsType\",\"deviceOsVersion\",\"deviceModel\",\"sessionId\",\"deviceSessionId\",\"clientIp\",\"host\",\"errorCode\",\"errorMessage\",\"failure\"
from REPORTS.REPORTS
WHERE (\"userId\" = '$id$' OR \"clientIp\" = '$ip_address$')
AND \"category\" = 'User'
AND \"applicationId\" ='sso'
AND \"timeLoRes\" &gt; (sysdate - $timespan$)" shortnames=true</query>
</search>
<row>
<panel>
<chart>
<title>SAC Successful</title>
<search base="baseSearch">
<query>| search action = assert_start AND action2 = token_response | eval _time=strptime( ACTIVITY_TIMESTAMP, "%Y-%m-%d %H:%M:%S" ) | timechart span=1d count by action2</query>
</search>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">column</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">bottom</option>
</chart>
</panel>
<panel>
<table>
<title>SAC Unsuccessful</title>
<search base="baseSearch">
<query>| search action = assertion_start AND action2 = reject | chart count by action2</query>
</search>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<title>SAC bind successful</title>
<table>
<title>Results</title>
<search base="baseSearch">
<query>| search action = add_device_group | table ACTIVITY_TIMESTAMP,
category,applicationId,userId,action,action2,action3,policyId,policyVersionId,deviceId,deviceHardwareId,deviceOsType,deviceOsVersion,deviceModel,sessionId,deviceSessionId,clientIp,host,errorCode,errorMessage,failure</query>
</search>
<option name="count">30</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>SAC form </title>
<table>
<title>Results</title>
<search base="baseSearch">
<query>| search action = assertion_start AND action2 = form AND action3 = action | table ACTIVITY_TIMESTAMP,
category,applicationId,userId,action,action2,action3,policyId,policyVersionId,deviceId,deviceHardwareId,deviceOsType,deviceOsVersion,deviceModel,sessionId,deviceSessionId,clientIp,host,errorCode,errorMessage,failure</query>
</search>
<option name="count">30</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

I was not able to format the code part, apologies for pasting it as it is.

ashrafsj · ‎09-15-2020

Just for the information - I have resolved the issue I had by adding <default></default> to the ip address as well. Hope this helps anyone who have similar issues.

<input type="text" token="ip_address" searchWhenChanged="true">
<label>IP Address</label>
<default></default>
</input>

View solution in original post

ashrafsj · ‎09-15-2020

Just for the information - I have resolved the issue I had by adding <default></default> to the ip address as well. Hope this helps anyone who have similar issues.

<input type="text" token="ip_address" searchWhenChanged="true">
<label>IP Address</label>
<default></default>
</input>

renjith_nair · ‎09-15-2020

This is the same I had explained in my first reply. If you want to run the search on the dashboard load, you need to set default values.

Happy Splunking!

renjith_nair · ‎09-15-2020

Use the code sample </> to add your xml - edited for now.

On the load of the dashboard, searches are waiting for the input parameters .

What happens after you enter ID,IP Address and Previous days and then "Submit" ?

If you do not want the dashboard to wait for the inputs, you may set default values for input tokens and remove Submit button

Happy Splunking!

ashrafsj · ‎09-15-2020

When I enter the ID and choose the previous days and hit enter, there is no response. I tried to give IP address instead and there is response. then later I tried with ID and it gives the result once I hit the submit button.

I have tried to refresh the dashboard and gave the ID and tried again, tried opening the search it shows undefined from the dashboard. Not sure whats happening with ID field.

Splunk Dashboard - search is waiting for inputs

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!