After updating our Splunk environment from Splunk 7.0.3 & ES 5.0 to Splunk 7.2.0 & Enterprise Security 5.1.1, many of the ES dashboards are not functioning. This appears to be a problem with all ES dashboards that use a dropdown input or Field Picker that includes an ALL option.
For example: the Access Center dashboard should have 4 panels of data, however all 4 panels show the error “Search is waiting for input”. I have tried adjusting all of the input fields at the top of the dashboard and hitting search again but nothing changes.
Most of the time, the search is waiting for a token. Maybe some input that wasn't selected or maybe some search didn´t return the data to be used in this search.
If you want to copy and paste the XML from the source here, I can have a look.
We have not edited any of the ES dashboards. They remain completely stock. It feels like this is a bug.
Oh, is one of the ES, ok, maybe some scheduled search is missing. But maybe is a bug in the dash.
Check the search to see what token is missing.
Turns out that we had made a few adjustments to some dashboards within ES. I cleared out the changes...which were very very minimal and all of the dashboards now work. It makes me wonder what changes to the base dashboards would have been broken due our changes.