Dashboards & Visualizations

Why am I getting 'Search is waiting for input' for one of 3 reports on my dashboard?

Laya123
Communicator

Hi,

I am creating a dashboard using a CSV file (inputlookup xxxx.csv). I have created 3 reports in a dashboard and the first 2 reports I am getting data, but the 3rd report I am not getting any values and it is showing 'Search is waiting for input'. Bbelow is my XML code. Here I am not using any time frame because I am using a CSV as the input and in that file, I have a date field. From this date field, I am extracting Day and for 2 drop-down boxes for Fromdate and Todate. This Fromdate and Todate is working only for first 2 reports, but not for 3rd report. I tried different things, but no luck.

Example: If I want a report for the 5th to 10th, I will select 5 from the first drop-down and 10 is from the second drop-down. Based on these selections, my report is giving results for for those 5 days (5th to 10th), but only for the first 2 reports, but the 3rd report is showing 'Search is waiting for input'.

below is the query which I used. can any one help me to do this

<form>
  <label>Sample</label>
  <description>Sample</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="StartDay1" searchWhenChanged="true">
      <label>From</label>
      <choice value="*">All</choice>
      <search>
        <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
      </search>
      <fieldForLabel>Start_Day</fieldForLabel>
      <fieldForValue>Start_Day</fieldForValue>
    </input>
    <input type="dropdown" token="StartDay2" searchWhenChanged="true">
      <label>To</label>
      <choice value="*">All</choice>
      <search>
        <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
      </search>
      <fieldForLabel>Start_Day</fieldForLabel>
      <fieldForValue>Start_Day</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="multiselect" token="AAType" searchWhenChanged="true">
        <label>Activation Type</label>
        <search>
          <query>|inputlookup _AADaily.csv |stats count by AAtype</query>
        </search>
        <fieldForLabel>AType</fieldForLabel>
        <fieldForValue>AAtype</fieldForValue>
        <default>Publish</default>
        <prefix>(</prefix>
        <valuePrefix>AAtype ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
      </input>
      <input type="multiselect" token="Status1" searchWhenChanged="true">
        <label>Status</label>
        <search>
          <query>|inputlookup _AADaily.csv|stats count by Status</query>
        </search>
        <fieldForLabel>Status</fieldForLabel>
        <fieldForValue>Status</fieldForValue>
        <default>Published</default>
        <prefix>(</prefix>
        <valuePrefix>Status ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
      </input>
      <chart>
        <title>Averagetime</title>
        <search>
          <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$ |where ($AAType$) AND ($Status1$) |chart avg(Total_TimeSec) AS "Avg_Total_ActivationTime" over ServerName by AAtype</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Averagetime_Statiscs</title>
        <search>
          <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$ |where ($AAType$) AND ($Status1$) |chart avg(Total_TimeSec) AS "Avg_Total_ActivationTime" over ServerName by AAtype</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Verification</title>
        <search>
          <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$|where Cluster="N" OR Cluster!="ST" |eval app_status = Cluster . ":" . Status | chart count over host by app_status| appendcols [ |inputlookup _AADaily.csv |where Cluster="S" OR Cluster!="ST" | eval app_status = Cluster . ":" . Status | chart count over host by app_status] |addtotals fieldname=N_Total N*|addtotals fieldname=S_Total S*| eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=host label=Total|table host N:* N_Total S:* S_Total Grand_Total</query>
      </search>
      </table>
    </panel>
  </row>
</form>

Thanks in advance

0 Karma
1 Solution

woodcock
Esteemed Legend

The problem is this:

$<<FIELD>>$

which should be this:

$$<FIELD>$$

So change this:

<query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$|where Cluster="N" OR Cluster!="ST" |eval app_status = Cluster . ":" . Status | chart count over host by app_status| appendcols [ |inputlookup _AADaily.csv |where Cluster="S" OR Cluster!="ST" | eval app_status = Cluster . ":" . Status | chart count over host by app_status] |addtotals fieldname=N_Total N*|addtotals fieldname=S_Total S*| eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $$<<FIELD>>$$ ] | addcoltotals labelfield=host label=Total|table host N:* N_Total S:* S_Total Grand_Total</query>

to this:

<query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$|where Cluster="N" OR Cluster!="ST" |eval app_status = Cluster . ":" . Status | chart count over host by app_status| appendcols [ |inputlookup _AADaily.csv |where Cluster="S" OR Cluster!="ST" | eval app_status = Cluster . ":" . Status | chart count over host by app_status] |addtotals fieldname=N_Total N*|addtotals fieldname=S_Total S*| eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=host label=Total|table host N:* N_Total S:* S_Total Grand_Total</query>

View solution in original post

0 Karma

woodcock
Esteemed Legend

The problem is this:

$<<FIELD>>$

which should be this:

$$<FIELD>$$

So change this:

<query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$|where Cluster="N" OR Cluster!="ST" |eval app_status = Cluster . ":" . Status | chart count over host by app_status| appendcols [ |inputlookup _AADaily.csv |where Cluster="S" OR Cluster!="ST" | eval app_status = Cluster . ":" . Status | chart count over host by app_status] |addtotals fieldname=N_Total N*|addtotals fieldname=S_Total S*| eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $$<<FIELD>>$$ ] | addcoltotals labelfield=host label=Total|table host N:* N_Total S:* S_Total Grand_Total</query>

to this:

<query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$|where Cluster="N" OR Cluster!="ST" |eval app_status = Cluster . ":" . Status | chart count over host by app_status| appendcols [ |inputlookup _AADaily.csv |where Cluster="S" OR Cluster!="ST" | eval app_status = Cluster . ":" . Status | chart count over host by app_status] |addtotals fieldname=N_Total N*|addtotals fieldname=S_Total S*| eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=host label=Total|table host N:* N_Total S:* S_Total Grand_Total</query>
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi Laya123, as the comments have suggested, I expect that the dashboard doesn't like the search string. Try wrapping the whole search string in to escape it

<query><![CDATA[|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$ |where ($AAType$) AND ($Status1$) |chart avg(Total_TimeSec) AS "Avg_Total_ActivationTime" over ServerName by AAtype]]></query>

Please let me know if this helps. Thanks!

0 Karma

Laya123
Communicator

Thank you for your response; but I have problem with my 3rd report. first 2 reports are giving results when I have selected the days from dropdown, 3rd report only showing 'Search is waiting for input' but not giving any records.

Regards

0 Karma

vranjith009
New Member

Where you mentioned the value of "$FIELD$" on third query..?

0 Karma

Laya123
Communicator

Hi,

Thank you for your response,

$FIELD$ ; its not actually a token; to calculate the grand total I used that with 'foreach' command

Regards

0 Karma

aholzer
Motivator

try using &#36; instead of $ around the $FIELD$

0 Karma

Laya123
Communicator

Hi, can you explain me how & # 36 ; will work

Thank you

0 Karma

aholzer
Motivator

it's the HTML special character code to replace the $. Right now though it thinks your $FIELD$ is an input it needs to wait for. By using &#36; you force the parsing to occur before it identifies it as an input.

0 Karma

Laya123
Communicator

Hi,

I didnt understand where to use and how to use & # 36 ;

But thank you so much now I understand where the issue is and I changed my 3rd query little bit. removed foreach command.

|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$|where Cluster="N" OR Cluster!="ST" |eval app_status = Cluster . ":" . Status | chart count over host by app_status| appendcols [ |inputlookup _AADaily.csv |where Cluster="S" OR Cluster!="ST" | eval app_status = Cluster . ":" . Status | chart count over host by app_status] |addtotals fieldname=N_Total N*|addtotals fieldname=S_Total S*| addtotals fieldname=Grand_Total Total| addcoltotals labelfield=host label=Total|table host N:* N_Total S:* S_Total Grand_Total

Thank you

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...