Hello.
I have a search which first collects the top 3% of "S3_call_error2", then searches within that list to return the top "S3_call_dest_custid"s reporting each of these errors found:
index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$S3_call_error2$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |table S3_call_dest_custid S3_call_error2"
When I run this in the Search app, I get correct results. However, when I put it into a dashboard, I get "Search is waiting for input".
I am sure that part of this has to do with my variable assignment (search S3_call_error2=$S3_call_error2$), and I honestly cannot remember exactly why it is there, however the search (app) fails to return any results without it.
What can be causing this to work in Search but not in a Dashboard?
Thanks.
Try using $$ around your variable instead of just $, like this:
index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$$S3_call_error2$$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |table S3_call_dest_custid S3_call_error2"
Try this workaround as well (no map command, may perform little better as well).
index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | stats count by S3_call_error2 S3_call_dest_custid | eventstats sum(count) as Total by S3_call_error2 | eventstats sum(count) as GrandTotal | where (Total*100)/GrandTotal > 3 | sort 0 S3_call_error2, - count | streamstats count as rank by S3_call_error2 | where rank<4 |table S3_call_dest_custid S3_call_error2
Thanks for this one also - It also works, although it includes the 'successful' calls in the result list, which is not necessary.
I want to look this one over a bit further to understand the revamping of my search. I think there are some interesting things I can pull out of this revision of my search syntax.
Try using $$ around your variable instead of just $, like this:
index="xxx-cdr" DEVICE07 OR DEVICE08 | fillnull value="sucessful" S3_call_error2 | top S3_call_error2 useother=f | where percent >3| map search="search S3_call_error2=$$S3_call_error2$$ | top S3_call_error2 by S3_call_dest_custid |sort 3 -count |table S3_call_dest_custid S3_call_error2"
Thanks for this. Curiously this seems to work in a dashboard, however not when I run it from the search app. And more oddly, it DOES however run when I click the magnifying glass link (open in Search app) from the dashboard!
I too facing the same problem and I posted the query yesterday. Hope we will get the resolution.
http://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html