All Apps and Add-ons

search is waiting for input error

harinivgr
Explorer

I have 600+ data in my dashboard server. The query is working fine separately in search and reporting but, It is working in dashboard. It is showing search is waiting for input error.

1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@harinivgr ,

The regex part of your search is causing the problem.

Replace

| rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P<JobName>\w+)"

with

| rex field=_raw "^[^\$$\n]*\$$\w+\d+\s+(?P<JobName>\w+)"

$ sign is escaped with $$

Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@harinivgr ,

The regex part of your search is causing the problem.

Replace

| rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P<JobName>\w+)"

with

| rex field=_raw "^[^\$$\n]*\$$\w+\d+\s+(?P<JobName>\w+)"

$ sign is escaped with $$

Happy Splunking!

harinivgr
Explorer

Thank you so much. Now it is working fine.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@harinivgr , do you have any input element in Dashboard and if yes, are they selected , for e.g dropdown?

Happy Splunking!
0 Karma

harinivgr
Explorer

Yes, I have dropdown. After selected the dropdown, we are facing this error. The token values are passed. The query is working fine in run search. But in dashboard, we are facing this error.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

are you using any base/ post process search ? is it possible to share the XML after masking any sensitive data?

Happy Splunking!
0 Karma

harinivgr
Explorer

Long Running Job

  <input type="dropdown" token="start_time">
      <label>start_time</label>

      <search>
        <query />
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="1:00:00">1AM</choice>
      <choice value="2:00:00">2AM</choice>
      <choice value="3:00:00">3AM</choice>
      <choice value="4:00:00">4AM</choice>
      <choice value="5:00:00">5AM</choice>
      <choice value="6:00:00">6AM</choice>
      <choice value="7:00:00">7AM</choice>
      <choice value="8:00:00">8AM</choice>
      <choice value="9:00:00">9AM</choice>
      <choice value="10:00:00">10AM</choice>
      <choice value="11:00:00">11AM</choice>
      <choice value="0:00:00">12AM</choice>
      <choice value="13:00:00">1PM</choice>
      <choice value="14:00:00">2PM</choice>
      <choice value="15:00:00">3PM</choice>
      <choice value="16:00:00">4PM</choice>
      <choice value="17:00:00">5PM</choice>
      <choice value="18:00:00">6PM</choice>
      <choice value="19:00:00">7PM</choice>
      <choice value="20:00:00">8PM</choice>
      <choice value="21:00:00">9PM</choice>
      <choice value="22:00:00">10PM</choice>
      <choice value="23:00:00">11PM</choice>
      <choice value="12:00:00">12PM</choice>
    </input>
    <input type="dropdown" token="end_time">
      <label>end_time</label>
      <search>
        <query />
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <choice value="1:00:00">1AM</choice>
      <choice value="2:00:00">2AM</choice>
      <choice value="3:00:00">3AM</choice>
      <choice value="4:00:00">4AM</choice>
      <choice value="5:00:00">5AM</choice>
      <choice value="6:00:00">6AM</choice>
      <choice value="7:00:00">7AM</choice>
      <choice value="8:00:00">8AM</choice>
      <choice value="9:00:00">9AM</choice>
      <choice value="10:00:00">10AM</choice>
      <choice value="11:00:00">11AM</choice>
      <choice value="0:00:00">12AM</choice>
      <choice value="13:00:00">1PM</choice>
      <choice value="14:00:00">2PM</choice>
      <choice value="15:00:00">3PM</choice>
      <choice value="16:00:00">4PM</choice>
      <choice value="17:00:00">5PM</choice>
      <choice value="18:00:00">6PM</choice>
      <choice value="19:00:00">7PM</choice>
      <choice value="20:00:00">8PM</choice>
      <choice value="21:00:00">9PM</choice>
      <choice value="22:00:00">10PM</choice>
      <choice value="23:00:00">11PM</choice>
      <choice value="12:00:00">12PM</choice>
    </input>


    <panel>
      <chart>
        <search>
          <query>index="ibmsyslog" JOBID="JOB*"  "IDC* STARTED"  | rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P&lt;JobName&gt;\w+)"| rex field=_raw "\w*\sUSERID\s+(?P&lt;UserID&gt;\w+)\s+" | eval start_time=strftime(_time,"%H:%M:%S.%2Q")  
| eval start_date=strftime(_time,"%m/%d/%y") 
| join JOBID [search index="ibmsyslog" JOBID="JOB*"  ENDED   
| eval end_time=strftime(_time,"%H:%M:%S.%2Q") 
| eval end_date=strftime(_time,"%m/%d/%y")]
| join JOBID [search index="ibmsyslog" JOBID="JOB*"  "-IDC* ENDED." 
| rex field=_raw "\w*\s+TOTAL TCB CPU TIME=(?P&lt;TotalCPUTime1&gt;[0-9 ]{3}.\d+)"
| rex field=_raw "\w*TOTAL ELAPSED TIME=(?P&lt;TotalElapsedTime1&gt;[0-9 ]+.\d+)"
] | join JOBID [search index="ibmsyslog" JOBID="JOB*"  "IS ASSIGNED TO THIS JOB"]| join type=LEFT JOBID [search index="ibmsyslog" JOBID="JOB*" "JCL ERROR"| eval JCLError="Yes" ]|eval JobExecutionTime=strptime(end_time,"%H:%M:%S.%2Q")-strptime(start_time,"%H:%M:%S.%2Q")| eval KPIName="Long Running Job"
| join KPIName [search index="threshold"]
| eval threshold=Threshold_Value_Medium 
| eval desired_time1=strptime(start_time,"%H:%M:%S.%2Q"),
desired_time2=strptime(end_time,"%H:%M:%S.%2Q") 
| eval diff=desired_time2-desired_time1 
|eval diff1=strftime(diff,"%H:%M:%S")
| eventstats sum(diff) as total by JobName 
| eventstats count(JobName) as counter by JobName 
| eval start=strptime("$start_time$","%H:%M:%S") 
| eval end=strptime("$end_time$","%H:%M:%S") 
| where desired_time1&gt;=start and desired_time2&lt;=end 
| eval avg=abs(total/counter)
|eval avg1=avg/60
|stats values(avg1) as AverageTime by  JobName JobExecutionTime threshold
| sort JobExecutionTime
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisLabelsX.majorLabelVisibility">show</option>
        <option name="charting.axisLabelsY.majorUnit">5</option>
        <option name="charting.axisTitleY.text">Completion Time</option>
        <option name="charting.axisX.includeZero">1</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.fieldColors">{"red":0xFF0000,"yellow":0xFFFF00}</option>
        <option name="height">302</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <set token="JobName">$row.JobName$</set>
        </drilldown>
      </chart>
    </panel>
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@harinivgr
This part of search is creating the issue

rex field=_raw "^[^\$\n]*\$\w+\d+\s+(?P&lt;JobName&gt;\w+)"

Since you have two $ it assumes it as a token and waiting for the input

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...