Dashboard creation not working as expected - Splunk Community

Dashboards & Visualizations

Hi ,

I am trying to create the dashboard for the below query, but it is showing no results in dashboard. Am able to get the result when I do the search.

index=Test host=XXX "ABNUM" | map search="search source=$source$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

X-axis querySeconds and Y-axis Count of event

The dollar-sign syntax is used both by map and by xml so you need to escape them (by doubling) for the XML parsing so they make it to map.

Try this:

index=Test host=XXX "ABNUM" | map search="search source=$$source$$ | streamstats current=f last(_raw) AS next_line | search \" took \" next_line=\"*ABNUM*\"" | dedup _raw next_line | rex "query took (?\d+).*\((?\d+) seconds\)"

Hi,

It's not working If I use $$source$$. am getting zero results...

It definitely should work (this is simple XML, right?)

See here for same second opinion:

https://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html

It's not working for me. If I try with single $, am getting proper result in search but with $$source$$. am getting zero result only.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...