Splunk Search

My search returns results but why does it not work as a query in my dashboard?

dbcase
Motivator

Hi,

I have this query

index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" "Uc-keypad hung"|table _time PREMISE|map maxsearches=25 search="search index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" PREMISE=$PREMISE$"|eval EVENT_TYPE = coalesce(EVENT_SUB_TYPE,COMMAND_TYPE)|eval DSTATUS = coalesce(DIFF,STATUS)|fields  PREMISE DSTATUS OBJECT_TYPE EVENT_TYPE  _raw|eventstats count as grandtotal|eventstats count as ptotal by EVENT_TYPE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by EVENT_TYPE|sort -count

Which works (albeit a bit slowly) in Search everytime but when trying to add it to a dashboard all the panel says is Search is waiting for input and it just sits there. Any thoughts?

Here is the dashboard XML. It is the last panel

<dashboard>
  <label>UC Keypad</label>
  <row>
    <panel>
      <chart>
        <title>UC-Keypad Hung by Premise - All Time</title>
        <search>
          <query>index=top10_1 Uc-keypad|timechart span=1d count|rename count as "UC-Keypad Hung Count by Day"</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Count</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>UC-Keypad Hung by Premise - All Time</title>
        <search>
          <query>index=top10_1 Uc-keypad|eventstats count as grandtotal|eventstats count as ptotal by PREMISE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by PREMISE|sort -count</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>UC-Keypad Hung Last 24 Hrs</title>
        <search>
          <query>earliest=-24h index=top10_1 Uc-keypad|timechart count|rename count as "UC-Keypad Hung Last 24hrs"</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>UC-Keypad Hung in the last 24hrs</title>
        <search>
          <query>earliest=-24h index=top10_1 Uc-keypad|eventstats count as grandtotal|eventstats count as ptotal by PREMISE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by PREMISE|sort -count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" "Uc-keypad hung"|table _time PREMISE|map maxsearches=25 search="search index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" PREMISE=$PREMISE$"|eval EVENT_TYPE = coalesce(EVENT_SUB_TYPE,COMMAND_TYPE)|eval DSTATUS = coalesce(DIFF,STATUS)|fields  PREMISE DSTATUS OBJECT_TYPE EVENT_TYPE  _raw|eventstats count as grandtotal|eventstats count as ptotal by EVENT_TYPE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by EVENT_TYPE|sort -count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
1 Solution

dbcase
Motivator

Found it. It isn't MAP command per se, it is the field value it matches on. In this case PREMISE=$PREMISE$. When you put it into a dashboard the dashboard interprets the $PREMISE$ as a token and it is waiting on the token to be set. Hence the Search is Waiting for Input message. Enclosing the $PREMISE$ with another pair of $ solves this problem. So in the dashboard change PREMISE=$PREMISE$ to PREMISE=$$PREMISE$$

View solution in original post

0 Karma

dbcase
Motivator

Found it. It isn't MAP command per se, it is the field value it matches on. In this case PREMISE=$PREMISE$. When you put it into a dashboard the dashboard interprets the $PREMISE$ as a token and it is waiting on the token to be set. Hence the Search is Waiting for Input message. Enclosing the $PREMISE$ with another pair of $ solves this problem. So in the dashboard change PREMISE=$PREMISE$ to PREMISE=$$PREMISE$$

0 Karma

dbcase
Motivator

Update: It works until the MAP command. Once that is added the panel stops working. What is special about the MAP command and dashboard panels?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...