Solved: Why does my search work in the Search app, but not...

lennys26 · ‎01-20-2015

Hello.

I have a search which first collects the top 3% of "S3_call_error2", then searches within that list to return the top "S3_call_dest_custid"s reporting each of these errors found:

index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |table S3_call_dest_custid S3_call_error2"

When I run this in the Search app, I get correct results. However, when I put it into a dashboard, I get "Search is waiting for input".

I am sure that part of this has to do with my variable assignment (search S3_call_error2=$S3_call_error2$), and I honestly cannot remember exactly why it is there, however the search (app) fails to return any results without it.

What can be causing this to work in Search but not in a Dashboard?

Thanks.

wpreston · ‎01-20-2015

Try using $$ around your variable instead of just $, like this:

index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$$S3_call_error2$$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |table S3_call_dest_custid S3_call_error2"

View solution in original post

somesoni2 · ‎01-20-2015

Try this workaround as well (no map command, may perform little better as well).

index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2  | stats count by S3_call_error2 S3_call_dest_custid | eventstats sum(count) as Total by S3_call_error2 | eventstats sum(count) as GrandTotal | where (Total*100)/GrandTotal > 3 | sort 0 S3_call_error2, - count | streamstats count as rank by S3_call_error2 | where rank<4 |table S3_call_dest_custid S3_call_error2

lennys26 · ‎01-20-2015

Thanks for this one also - It also works, although it includes the 'successful' calls in the result list, which is not necessary.

I want to look this one over a bit further to understand the revamping of my search. I think there are some interesting things I can pull out of this revision of my search syntax.

wpreston · ‎01-20-2015

Try using $$ around your variable instead of just $, like this:

index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$$S3_call_error2$$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |table S3_call_dest_custid S3_call_error2"

lennys26 · ‎01-20-2015

Thanks for this. Curiously this seems to work in a dashboard, however not when I run it from the search app. And more oddly, it DOES however run when I click the magnifying glass link (open in Search app) from the dashboard!

jayannah · ‎01-20-2015

I too facing the same problem and I posted the query yesterday. Hope we will get the resolution.

http://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html

Why does my search work in the Search app, but not in a dashboard?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life