Solved: When I run my search, it returns results, but why ...

adamblock2 · ‎07-08-2016

The following search returns results when I run it as a search, but not when it is used as a dashboard panel. The dashboard panel displays Search is waiting for input...

|eventcount summarize=false index=* 
|dedup index
|fields index
|map maxsearches=100 search="
|metadata type=sources index=\"$index$\" 
|eval index=\"$index$\""
|where relative_time(now(), "-2d") > lastTime
|where relative_time(now(), "-14d") < lastTime
|rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update"
| fieldformat Count=tostring(Count, "commas")
| fieldformat "First Event"=strftime('First Event', "%c")
| fieldformat "Last Event"=strftime('Last Event', "%c")
| fieldformat "Last Update"=strftime('Last Update', "%c")
| table index, type,sourcetype,"First Event", "Last Event", "Last Update", Count

I think that for some reason, the \"$index$\" statement is the problem. Assistance with this would be appreciated.

Thank you.

somesoni2 · ‎07-08-2016

Replace each dollar $ sign with two dollar $$, when using in dashboard.

View solution in original post

somesoni2 · ‎07-08-2016

Replace each dollar $ sign with two dollar $$, when using in dashboard.

When I run my search, it returns results, but why am I getting "Search is waiting for input..." when used in a dashboard panel?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes