When I search this on its own it comes up with what I need but when I put it into the Dashboard it comes up with " Awaiting Data Input"
(index=windows_* OR index=win*) (sourcetype="wineventlog:security" OR source="wineventlog:security" OR sourcetype="xmlwineventlog:security" OR source="xmlwineventlog:security" OR sourcetype="wineventlog*" OR source="wineventlog*" OR sourcetype="xmlwineventlog*" OR source="xmlwineventlog*") signature_id IN (4720 4722 4725 4726 4738) Target_Account_Name!=*$ Subject_Account_Name!=*$
| eval signature=coalesce(signature, EventCode_Description)
| eval Computer_Name=coalesce(Computer_Name,ComputerName,Computer)
| eval New_Message=coalesce(Message,message,body,EventData_Xml)
| stats count earliest(_time) as earliest latest(_time) as latest values(Computer_Name) as src values(signature) as signature values(signature_id) as signature_id values(Logon_ID) as Logon_ID values(TaskCategory) as Task_Category values(Device_Name) as device by dest, Subject_Account_Name, Target_Account_Name, host
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(earliest)
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(latest)
| fields count earliest latest Target_Account_Name Subject_Account_Name signature signature_id dest host src Logon_ID Task_Category
Any ideas?
As ITWhisperer mentioned, the use of $ is used in dashboards for tokens.
It looks like you're trying to exclude system accounts in your search so removing the $ isn't really an option.
You can also escape the $ with a double $$.
See Token usage in dashboards - Escaping the $ token delimiter character
Thank you removing both $ actually killed my search but $ after the Target_Account_Name!=* and adding OR made it function beautifully!
(Original) Target_Account_Name!=*$ Subject_Account_Name!=*$
(Modified) Target_Account_Name!=* OR Subject_Account_Name!=*$
Remove the $ from the search - $ is used in dashboards to delimit token names, e.g. $token$ and searches won't run until the token is resolved