Does it always fail i.e. with different time ranges selected or just some of them?

"not working fine" is not a useful phrase. Exactly, what is not working? What results are you getting? What results were you expecting?

(I created a similar dashboard and macro arrangement and it works fine for me!)

@ITWhisperer 

There are two things what is "working" and "what is not working"

Working : Below data model is giving the results.

Not working :  When I use the data model under this macro`throughput_macro_raw(span=1d)` not giving any results.

Not working : As well in the dashboard below query is also not working

<query>|`$macro_token$(span_token="$span_token$")` 
|strcat "raw" "," location group_name | timechart span=1d count by location

Please help me to execute and fix these queries

As far as I can see, after you substitue your token you end up with (somewhere in the middle of your expanded macro)

| bin _time span=span=1d

Either remove the "span=" part from the macro definition or from the argument you're passing to it.

@PickleRick If, in this case, I remove the span= from all the below macros, then how do the span values pass through? And span_token values coming from the dashboard.

<change>
<eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval>
<eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval>
<eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval>
<eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval>
</change>

throughput_macro_raw() contains

| bin _time span=$span_token$

As you showed, you call it as

`throughput_macro_raw(span=1d)`

Since macro is a simple text expansion, your $span_token$ is getting substituted for "span=1d"

So your

span=$span_token$

is getting thus expanded to

span=span=1d

That's how macro expansion works.

@PickleRick Nice explanation . But my approach is working fine on other dashboards. 

You might have a bit differently prepared macros/searches you use there.

In your first not working screenshot, you have used an argument called "span" but the macro definition calls the argument "span_token", hence the error.

For the second not working example, as I asked before, what exactly is not working? By the way, your dashboard source is incomplete so it could be something to do with the way you have set up span_token but you haven't shown this so I can't tell.

Please provide all relevant information to maximise your chances of getting a solution.

@ITWhisperer Even below is also not giving any results. 

And source I have already mentioned in datamodel.

The error message says it all - it looks like you can't use datamodel from within a macro. You could argue that this is a bug in the parser - please raise a support ticket with Splunk.

@ITWhisperer Sure, I will. In the earlier chat, you said that you had used the same approach in your dashboard and it worked fine. Can you share with me that link for the reference?

I didn't use datamodel, I was just testing using a token inside a macro

@ITWhisperer There is no need to raise a case; the macro is now working. I have removed the "|" from the macro used before the data model, and after that, it works fine.

Let me check other stuffs, If needed I will post my queries here.