I have 600+ data in my dashboard server. The query is working fine separately in search and reporting but, It is working in dashboard. It is showing search is waiting for input error.
@harinivgr ,
The regex part of your search is causing the problem.
Replace
| rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P<JobName>\w+)"
with
| rex field=_raw "^[^\$$\n]*\$$\w+\d+\s+(?P<JobName>\w+)"
$
sign is escaped with $$
@harinivgr ,
The regex part of your search is causing the problem.
Replace
| rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P<JobName>\w+)"
with
| rex field=_raw "^[^\$$\n]*\$$\w+\d+\s+(?P<JobName>\w+)"
$
sign is escaped with $$
Thank you so much. Now it is working fine.
@harinivgr , do you have any input element in Dashboard and if yes, are they selected , for e.g dropdown?
Yes, I have dropdown. After selected the dropdown, we are facing this error. The token values are passed. The query is working fine in run search. But in dashboard, we are facing this error.
are you using any base/ post process search ? is it possible to share the XML after masking any sensitive data?
Long Running Job
<input type="dropdown" token="start_time">
<label>start_time</label>
<search>
<query />
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="1:00:00">1AM</choice>
<choice value="2:00:00">2AM</choice>
<choice value="3:00:00">3AM</choice>
<choice value="4:00:00">4AM</choice>
<choice value="5:00:00">5AM</choice>
<choice value="6:00:00">6AM</choice>
<choice value="7:00:00">7AM</choice>
<choice value="8:00:00">8AM</choice>
<choice value="9:00:00">9AM</choice>
<choice value="10:00:00">10AM</choice>
<choice value="11:00:00">11AM</choice>
<choice value="0:00:00">12AM</choice>
<choice value="13:00:00">1PM</choice>
<choice value="14:00:00">2PM</choice>
<choice value="15:00:00">3PM</choice>
<choice value="16:00:00">4PM</choice>
<choice value="17:00:00">5PM</choice>
<choice value="18:00:00">6PM</choice>
<choice value="19:00:00">7PM</choice>
<choice value="20:00:00">8PM</choice>
<choice value="21:00:00">9PM</choice>
<choice value="22:00:00">10PM</choice>
<choice value="23:00:00">11PM</choice>
<choice value="12:00:00">12PM</choice>
</input>
<input type="dropdown" token="end_time">
<label>end_time</label>
<search>
<query />
<earliest>0</earliest>
<latest></latest>
</search>
<choice value="1:00:00">1AM</choice>
<choice value="2:00:00">2AM</choice>
<choice value="3:00:00">3AM</choice>
<choice value="4:00:00">4AM</choice>
<choice value="5:00:00">5AM</choice>
<choice value="6:00:00">6AM</choice>
<choice value="7:00:00">7AM</choice>
<choice value="8:00:00">8AM</choice>
<choice value="9:00:00">9AM</choice>
<choice value="10:00:00">10AM</choice>
<choice value="11:00:00">11AM</choice>
<choice value="0:00:00">12AM</choice>
<choice value="13:00:00">1PM</choice>
<choice value="14:00:00">2PM</choice>
<choice value="15:00:00">3PM</choice>
<choice value="16:00:00">4PM</choice>
<choice value="17:00:00">5PM</choice>
<choice value="18:00:00">6PM</choice>
<choice value="19:00:00">7PM</choice>
<choice value="20:00:00">8PM</choice>
<choice value="21:00:00">9PM</choice>
<choice value="22:00:00">10PM</choice>
<choice value="23:00:00">11PM</choice>
<choice value="12:00:00">12PM</choice>
</input>
<panel>
<chart>
<search>
<query>index="ibmsyslog" JOBID="JOB*" "IDC* STARTED" | rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P<JobName>\w+)"| rex field=_raw "\w*\sUSERID\s+(?P<UserID>\w+)\s+" | eval start_time=strftime(_time,"%H:%M:%S.%2Q")
| eval start_date=strftime(_time,"%m/%d/%y")
| join JOBID [search index="ibmsyslog" JOBID="JOB*" ENDED
| eval end_time=strftime(_time,"%H:%M:%S.%2Q")
| eval end_date=strftime(_time,"%m/%d/%y")]
| join JOBID [search index="ibmsyslog" JOBID="JOB*" "-IDC* ENDED."
| rex field=_raw "\w*\s+TOTAL TCB CPU TIME=(?P<TotalCPUTime1>[0-9 ]{3}.\d+)"
| rex field=_raw "\w*TOTAL ELAPSED TIME=(?P<TotalElapsedTime1>[0-9 ]+.\d+)"
] | join JOBID [search index="ibmsyslog" JOBID="JOB*" "IS ASSIGNED TO THIS JOB"]| join type=LEFT JOBID [search index="ibmsyslog" JOBID="JOB*" "JCL ERROR"| eval JCLError="Yes" ]|eval JobExecutionTime=strptime(end_time,"%H:%M:%S.%2Q")-strptime(start_time,"%H:%M:%S.%2Q")| eval KPIName="Long Running Job"
| join KPIName [search index="threshold"]
| eval threshold=Threshold_Value_Medium
| eval desired_time1=strptime(start_time,"%H:%M:%S.%2Q"),
desired_time2=strptime(end_time,"%H:%M:%S.%2Q")
| eval diff=desired_time2-desired_time1
|eval diff1=strftime(diff,"%H:%M:%S")
| eventstats sum(diff) as total by JobName
| eventstats count(JobName) as counter by JobName
| eval start=strptime("$start_time$","%H:%M:%S")
| eval end=strptime("$end_time$","%H:%M:%S")
| where desired_time1>=start and desired_time2<=end
| eval avg=abs(total/counter)
|eval avg1=avg/60
|stats values(avg1) as AverageTime by JobName JobExecutionTime threshold
| sort JobExecutionTime
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisLabelsX.majorLabelVisibility">show</option>
<option name="charting.axisLabelsY.majorUnit">5</option>
<option name="charting.axisTitleY.text">Completion Time</option>
<option name="charting.axisX.includeZero">1</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.fieldColors">{"red":0xFF0000,"yellow":0xFFFF00}</option>
<option name="height">302</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<set token="JobName">$row.JobName$</set>
</drilldown>
</chart>
</panel>
@harinivgr
This part of search is creating the issue
rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P<JobName>\w+)"
Since you have two $
it assumes it as a token and waiting for the input