Re: getting the error in splunk query

nareshkareeti · ‎06-15-2025

| tstats summariesonly=true count From datamodel=Network_Traffic WHERE (All_Traffic.src_ip=* OR All_Traffic.dest_ip=*) | 'drop_dm_object_name("All_Traffic")' | lookup IOC_IPs.csv IP AS src_ip OUTPUT IP AS matched_src | lookup IOC_IPs.csv IP AS dest_ip OUTPUT IP AS matched_dest | where isnotnull (matched_src) OR where isnotnull(matched_dest)

Error in 'SearchParser': Missing a search command before '''. Error at position '121' of search query '| tstats summariesonly=true count From datamodel=N...{snipped} {errorcontext = t_ip=*) | 'drop_dm_ob}'

bowesmana · ‎06-15-2025

Your SPL has "tick" marks round the macro drop_dm_object_name that are single quotes ('), whereas you need to use the backtick character (`)

| `drop_dm_object_name("All_Traffic")`

sainag_splunk · ‎06-15-2025

@nareshkareeti try

| tstats summariesonly=true count FROM datamodel=Network_Traffic WHERE (All_Traffic.src_ip=* OR All_Traffic.dest_ip=*) BY All_Traffic.src_ip, All_Traffic.dest_ip
| `drop_dm_object_name("All_Traffic")`

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

getting the error in splunk query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation