Splunk Search

My search returns results but why does it not work as a query in my dashboard?

Motivator

Hi,

I have this query

index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" "Uc-keypad hung"|table _time PREMISE|map maxsearches=25 search="search index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" PREMISE=$PREMISE$"|eval EVENT_TYPE = coalesce(EVENT_SUB_TYPE,COMMAND_TYPE)|eval DSTATUS = coalesce(DIFF,STATUS)|fields  PREMISE DSTATUS OBJECT_TYPE EVENT_TYPE  _raw|eventstats count as grandtotal|eventstats count as ptotal by EVENT_TYPE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by EVENT_TYPE|sort -count

Which works (albeit a bit slowly) in Search everytime but when trying to add it to a dashboard all the panel says is Search is waiting for input and it just sits there. Any thoughts?

Here is the dashboard XML. It is the last panel

<dashboard>
  <label>UC Keypad</label>
  <row>
    <panel>
      <chart>
        <title>UC-Keypad Hung by Premise - All Time</title>
        <search>
          <query>index=top10_1 Uc-keypad|timechart span=1d count|rename count as "UC-Keypad Hung Count by Day"</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Count</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>UC-Keypad Hung by Premise - All Time</title>
        <search>
          <query>index=top10_1 Uc-keypad|eventstats count as grandtotal|eventstats count as ptotal by PREMISE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by PREMISE|sort -count</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>UC-Keypad Hung Last 24 Hrs</title>
        <search>
          <query>earliest=-24h index=top10_1 Uc-keypad|timechart count|rename count as "UC-Keypad Hung Last 24hrs"</query>
          <earliest>0</earliest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>UC-Keypad Hung in the last 24hrs</title>
        <search>
          <query>earliest=-24h index=top10_1 Uc-keypad|eventstats count as grandtotal|eventstats count as ptotal by PREMISE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by PREMISE|sort -count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" "Uc-keypad hung"|table _time PREMISE|map maxsearches=25 search="search index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Commands*" OR source="*Connectivity_Events*" OR source="*Security_Events*" OR source="*Troubles*" PREMISE=$PREMISE$"|eval EVENT_TYPE = coalesce(EVENT_SUB_TYPE,COMMAND_TYPE)|eval DSTATUS = coalesce(DIFF,STATUS)|fields  PREMISE DSTATUS OBJECT_TYPE EVENT_TYPE  _raw|eventstats count as grandtotal|eventstats count as ptotal by EVENT_TYPE|chart count values(eval(round(ptotal/grandtotal*100,2))) as Percentage by EVENT_TYPE|sort -count</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
1 Solution

Motivator

Found it. It isn't MAP command per se, it is the field value it matches on. In this case PREMISE=$PREMISE$. When you put it into a dashboard the dashboard interprets the $PREMISE$ as a token and it is waiting on the token to be set. Hence the Search is Waiting for Input message. Enclosing the $PREMISE$ with another pair of $ solves this problem. So in the dashboard change PREMISE=$PREMISE$ to PREMISE=$$PREMISE$$

View solution in original post

0 Karma

Motivator

Found it. It isn't MAP command per se, it is the field value it matches on. In this case PREMISE=$PREMISE$. When you put it into a dashboard the dashboard interprets the $PREMISE$ as a token and it is waiting on the token to be set. Hence the Search is Waiting for Input message. Enclosing the $PREMISE$ with another pair of $ solves this problem. So in the dashboard change PREMISE=$PREMISE$ to PREMISE=$$PREMISE$$

View solution in original post

0 Karma

Motivator

Update: It works until the MAP command. Once that is added the panel stops working. What is special about the MAP command and dashboard panels?

0 Karma