Splunk Search

My search returns results but why does it not work as a query in my dashboard?

dbcase
Motivator

Hi,

I have this query

index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" "Uc-keypad hung"|table _time PREMISE|map maxsearches=25 search="search index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" PREMISE=$PREMISE$"|eval EVENT_TYPE = coalesce(EVENT_SUB_TYPE,COMMAND_TYPE)|eval DSTATUS = coalesce(DIFF,STATUS)|fields  PREMISE DSTATUS OBJECT_TYPE EVENT_TYPE  _raw|eventstats count as grandtotal|eventstats count as ptotal by EVENT_TYPE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by EVENT_TYPE|sort -count

Which works (albeit a bit slowly) in Search everytime but when trying to add it to a dashboard all the panel says is Search is waiting for input and it just sits there. Any thoughts?

Here is the dashboard XML. It is the last panel

<dashboard>
  <label>UC Keypad</label>
  <row>
    <panel>
      <chart>
        <title>UC-Keypad Hung by Premise - All Time</title>
        <search>
          <query>index=top10_1 Uc-keypad|timechart span=1d count|rename count as "UC-Keypad Hung Count by Day"</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Count</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>UC-Keypad Hung by Premise - All Time</title>
        <search>
          <query>index=top10_1 Uc-keypad|eventstats count as grandtotal|eventstats count as ptotal by PREMISE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by PREMISE|sort -count</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>UC-Keypad Hung Last 24 Hrs</title>
        <search>
          <query>earliest=-24h index=top10_1 Uc-keypad|timechart count|rename count as "UC-Keypad Hung Last 24hrs"</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>UC-Keypad Hung in the last 24hrs</title>
        <search>
          <query>earliest=-24h index=top10_1 Uc-keypad|eventstats count as grandtotal|eventstats count as ptotal by PREMISE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by PREMISE|sort -count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" "Uc-keypad hung"|table _time PREMISE|map maxsearches=25 search="search index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" PREMISE=$PREMISE$"|eval EVENT_TYPE = coalesce(EVENT_SUB_TYPE,COMMAND_TYPE)|eval DSTATUS = coalesce(DIFF,STATUS)|fields  PREMISE DSTATUS OBJECT_TYPE EVENT_TYPE  _raw|eventstats count as grandtotal|eventstats count as ptotal by EVENT_TYPE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by EVENT_TYPE|sort -count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
1 Solution

dbcase
Motivator

Found it. It isn't MAP command per se, it is the field value it matches on. In this case PREMISE=$PREMISE$. When you put it into a dashboard the dashboard interprets the $PREMISE$ as a token and it is waiting on the token to be set. Hence the Search is Waiting for Input message. Enclosing the $PREMISE$ with another pair of $ solves this problem. So in the dashboard change PREMISE=$PREMISE$ to PREMISE=$$PREMISE$$

View solution in original post

0 Karma

dbcase
Motivator

Found it. It isn't MAP command per se, it is the field value it matches on. In this case PREMISE=$PREMISE$. When you put it into a dashboard the dashboard interprets the $PREMISE$ as a token and it is waiting on the token to be set. Hence the Search is Waiting for Input message. Enclosing the $PREMISE$ with another pair of $ solves this problem. So in the dashboard change PREMISE=$PREMISE$ to PREMISE=$$PREMISE$$

0 Karma

dbcase
Motivator

Update: It works until the MAP command. Once that is added the panel stops working. What is special about the MAP command and dashboard panels?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...