Hi niketnilay,
Thanks for your suggestion, I tweaked my SPL accordingly and it now runs successfully. However, when I add it to a statistics panel in the dashboard, it doesn't run and keeps saying "waiting for input", see attached picture.
SPL:
index=nsplogs host=hostA sourcetype=serverLog source="/opt/*" "Test Result:"
| rex .*"Action: "(?\w+).*", Test Result: "(?\w+).*", Start Time: "(?\d+\.\d+)", End Time: "(?(\d+\.\d+)).*
| table Action Status startTime endTime
| map maxsearches=1000 search="search index=nsplogs host=hostB sourcetype=serverLog earliest=$startTime$ latest=$endTime$ *Exception
| rex .*\": (?[\w\.]*Exception)\" | eval Action=\"$Action$\", Status=\"$Status$\", startTime=\"$startTime$\", endTime=\"$endTime$\"
| stats count(exceptionClass) as ExceptionCount by Action Status"
| table Action Status ExceptionCount
Note that values of host attribute reflect real server names and aren't parametrized or are not tokens, so I don't know what input it is waiting for.
Attached is a picture showing dashboard source code.
Any thoughts?
Thanks
... View more