Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I'm able to generate statistics with my search, but why am I unable to save it as dashboard?

le_krish
New Member
‎10-19-2016 09:59 AM

I'm able to generate statistics with my search, but why am I unable to save it as dashboard?
how to eliminate this speacal characters in the search.

|inputlookup MSDN_Call_Counts.csv             
|map search="|inputlookup MSDN_Lookup.csv | search RTR_Call="$RTR_Call$"  | eval count=$count$|rename $RTR_HTTP_Resp$ as Response|table RTR_Call,Response,count" maxsearches=1000
|chart sum(count) over RTR_Call by Response|fillnull value=0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dbcase
Motivator
‎10-19-2016 12:02 PM

Change $variable name$ to $$variable name$$ for the dashboard

View solution in original post

Reply
Solved! Jump to solution
Solution

dbcase
Motivator
‎10-19-2016 12:02 PM

Change $variable name$ to $$variable name$$ for the dashboard

Reply
Solved! Jump to solution

le_krish
New Member
‎10-19-2016 12:13 PM

thanks it worked... struggling from morning....

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎10-19-2016 12:21 PM

Great! If you can accept an answer to close out the question that would be great!

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎10-19-2016 11:59 AM

Change "$RTR_Call$" to "$$RTR_Call$$"

0 Karma
Reply
Solved! Jump to solution

le_krish
New Member
‎10-19-2016 12:04 PM

it is saying no results found and below is my whole query

|inputlookup MSDN_Call_Counts.csv             
|map search="|inputlookup MSDN_Lookup.csv | search RTR_Call="$$RTR_Call$$"  | eval count="$$count$$"|rename "$$RTR_HTTP_Resp$$" as Response|table RTR_Call,Response,count" maxsearches=1000
|chart sum(count) over RTR_Call by Response|fillnull value=0|fields - NULL
|eval Bad_perc=round((Bad/(Bad+Good)*100),2)
|eval Good_perc=round((Good/(Good+Bad)*100),2)

 |join RTR_Call [|inputlookup MSDN_Lookup.csv |table Threshold,ThresholdCount,RTR_Call,API_Call]
 |rex field=RTR_Call "(?\w+.+?)"
 |eval Status= if(Good_perc >= 70 ,"Pass" ,"Fail")
 |eval Total_count=Bad+Good|where Total_count > ThresholdCount
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-19-2016 11:34 AM

Can you create a new dashboard from the Dashboards view and click 'edit source' and put something like this in there, or change the options for if your using a chart instead of a table?

<dashboard>
  <label>Title</label>
    <row>
    <panel>
      <table>
        <search>
          <query>|inputlookup MSDN_Call_Counts.csv             
 |map search="|inputlookup MSDN_Lookup.csv | search RTR_Call="$RTR_Call$"  | eval count=$count$|rename $RTR_HTTP_Resp$ as Response|table RTR_Call,Response,count" maxsearches=1000
 |chart sum(count) over RTR_Call by Response|fillnull value=0</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma
Reply
Solved! Jump to solution

le_krish
New Member
‎10-19-2016 11:56 AM

this is , is whole query ,even after editing the source i'm unable see the results on the dashboard, i'm getting something like this " search is wating for the input" ... 

|inputlookup MSDN_Call_Counts.csv             
|map search="|inputlookup MSDN_Lookup.csv | search RTR_Call=$RTR_Call$  | eval count=$count$|rename $RTR_HTTP_Resp$ as Response|table RTR_Call,Response,count" maxsearches=1000
|chart sum(count) over RTR_Call by Response|fillnull value=0|fields - NULL
|eval Bad_perc=round((Bad/(Bad+Good)*100),2)
|eval Good_perc=round((Good/(Good+Bad)*100),2)
 |join RTR_Call [|inputlookup MSDN_Lookup.csv |table Threshold,ThresholdCount,RTR_Call,API_Call]
 |rex field=RTR_Call "(?\w+.+?)"
 |eval Status= if(Good_perc >= 70 ,"Pass" ,"Fail")
 |eval Total_count=Bad+Good|where Total_count > ThresholdCount
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎10-19-2016 12:07 PM

Change $variable name$ to $$variable name$$ for the dashboard

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2016 11:13 AM

I remember this issue.. let's try ...
Please take only a part of this query and save it as the dashboard.
Once saved as dashboard, click edit source XML, there you will see the part of the query, add the full query now. Then save it.
In this method, that won't give any errors regarding the special characters.

0 Karma
Reply
Solved! Jump to solution

le_krish
New Member
‎10-19-2016 12:05 PM

it is saying "search is waiting for the input" and below is my whole query

|inputlookup MSDN_Call_Counts.csv 
|map search="|inputlookup MSDN_Lookup.csv | search RTR_Call="$$RTR_Call$$" | eval count="$$count$$"|rename "$$RTR_HTTP_Resp$$" as Response|table RTR_Call,Response,count" maxsearches=1000
|chart sum(count) over RTR_Call by Response|fillnull value=0|fields - NULL
|eval Bad_perc=round((Bad/(Bad+Good)*100),2)
|eval Good_perc=round((Good/(Good+Bad)*100),2)

|join RTR_Call [|inputlookup MSDN_Lookup.csv |table Threshold,ThresholdCount,RTR_Call,API_Call]
|rex field=RTR_Call "(?\w+.+?)"
|eval Status= if(Good_perc >= 70 ,"Pass" ,"Fail")
|eval Total_count=Bad+Good|where Total_count > ThresholdCount
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...