hmm, why adding a tab anyway? If you use the simple XML editor the closing tag will match the opening tag.
As mentioned before, Bugs must be filed here http://www.splunk.com/r/bugs

Some code editors automatically indent with tabs, and it is not unusual to add whitespace within a search tag for readability on a long search. It is silly that Splunk can handle spaces but not tabs within tags. I have already reported this as a bug and I hope it is fixed in 6.3.

Hi,

But if regex is an issue, then suppose I don't want any regex filter and I generate the chart with data generated by base search as below:

      <chart>
    <title>Chart 1 - Not Working</title>
        <search base="baseSearch">
          <query>
         chart count over artist_name by track_name limit=100
      </query>
        </search>
        <option name="charting.chart">column</option>
    <option name="charting.chart.stackMode">stacked</option>
      </chart>

Still the error remains the same. So I mean to say it is not related to regex.

Okay, probably I wasn't too clear. The problem is most likely within your data. The provided sample works in a adapted search like this host="MusicData" artist_name=* | chart count over artist_name by track_name limit=100 but I assume the error or breaking event is somewhere else.
If you're willing and if it's possible to provide a complete set of the _raw events, I will contact you and will have a closer look on this.

Do you mean to say that if my basesearch contains only "host="MusicData" artist_name=*" and my chart's search contains "chart count over artist_name by track_name limit=100" then it should work? I tried that but it is not working.

As you suggested my data may have the issue, I tried to manipulate it in base search as below:

host="MusicData" index=ishanappindex NOT (artist_name="artist_name")  | fillnull value=Others artist_name,track_name| replace "" with "Others" in artist_name,track_name| dedup artist_name track_name| Where artist_name="Rihanna" | table artist_name track_name

Above base search gave results like below (exported search results in csv):

"artist_name","track_name"
Rihanna,"You Da One"
Rihanna,"We Found Love"

Here we sure that data is correct, but still the Chart 1 with count-over-by clause gives the same error.
So it turns out that it is neither data issue nor regex issue.

What version of Splunk you're on? In 6.2.4 this works like a charm. Using your example:

"artist_name","track_name"
 Rihanna,"You Da One"
 Rihanna,"We Found Love"

as music2.csv and a dashboard like this :

<dashboard>
   <search id="baseSearch">
     <query>
       | inputlookup music2.csv | search artist_name=* | table artist_name bc_uri track_name
     </query>
   </search>
   <row>
     <panel>
       <chart>
     <title>Chart 1 - Not Working</title>
         <search base="baseSearch">
           <query>
          chart count over artist_name by track_name limit=100
       </query>
         </search>
         <option name="charting.chart">column</option>
     <option name="charting.chart.stackMode">stacked</option>
       </chart>
     </panel>
     <panel>
       <chart>
     <title>Chart 2 - Working</title>
         <search>
           <query>
         | inputlookup music2.csv | search artist_name=* | table artist_name bc_uri track_name | chart count over artist_name by track_name limit=100
       </query>
         </search>
         <option name="charting.chart">column</option>
     <option name="charting.chart.stackMode">stacked</option>
       </chart>
     </panel>
     <panel>
       <chart>
     <title>Chart 3 - Working</title>
     <search base="baseSearch">
           <query>
          chart count(track_name) by artist_name
           </query>
         </search>
         <option name="charting.chart">pie</option>
       </chart>
     </panel>
   </row>
 </dashboard>

If you still think it's a bug, feel free to open one at http://www.splunk.com/r/bugs

Hey,

I have same version splunk 6.2.4

When I created music2.csv with those two records and copied whole of your Dashboard content above in my xml. It worked like charm.

That's what made me curious and I tried more than 50 combination tests and comparisons on my original xml and your xml content above and to your surprise I found where the issue was.

I am unable to add an answer so check by answer in woodcock's post.

Thanks

Hi Mus,

When I click on search for this column chart, it searches with final query as below so the chart generated properly in Search's Visualization Tab:

host="MusicData" | table artist_name bc_uri track_name |        regex bc_uri="/browse/tracks/*" | chart count over artist_name by track_name limit=100    

Then I tried to replicate the error by creating a saved search and using it in search tab as below:

|savedsearch testsavedsearch | chart count over artist_name by track_name limit=100

Still it worked fine. So the issue is coming only inside a dashboard panel chart. Do you still want a Job Inspector log?

Search Query is searching from below sample data:

"_time","artist_name",eventtype,"search_terms","bc_uri","track_name"
"1360368808.948083",,"ua-mobile-ipad",LMFAO,"/browse/search/LMFAO",
"1360368808.945860",,"ua-mobile-android",,"/ads/showbanner",
"1360368808.939115",,"ua-mobile-iphone",,"/sync/createplaylist",
"1360368806.935405",,"ua-mobile-android",,"/browse/home",
"1360368806.886419",Rihanna,"ua-mobile-blackberry",,"/browse/tracks/01011207201000005652000000000049","You Da One"
"1360368806.868352",,"ua-mobile-android",,"/auth/5558899235",
"1360368805.956702",,"ua-mobile-blackberry",,"/ads/showbanner",
"1360368805.937359","Toby Keith","ua-mobile-blackberry",,"/browse/tracks/01011207201000005652000000000083","Red Solo Cup"
"1360368805.919084",,"ua-mobile-android",,"/browse/artist/0026",
"1360368805.917081",,"ua-mobile-ipad",,"/sync/createplaylist",

Hi,

Thank You!

Where can I track the support case for this? Any Url?