getting the error in splunk query

nareshkareeti · ‎06-15-2025

| tstats summariesonly=true count From datamodel=Network_Traffic WHERE (All_Traffic.src_ip=* OR All_Traffic.dest_ip=*) | 'drop_dm_object_name("All_Traffic")' | lookup IOC_IPs.csv IP AS src_ip OUTPUT IP AS matched_src | lookup IOC_IPs.csv IP AS dest_ip OUTPUT IP AS matched_dest | where isnotnull (matched_src) OR where isnotnull(matched_dest)

Error in 'SearchParser': Missing a search command before '''. Error at position '121' of search query '| tstats summariesonly=true count From datamodel=N...{snipped} {errorcontext = t_ip=*) | 'drop_dm_ob}'

bowesmana · ‎06-15-2025

Your SPL has "tick" marks round the macro drop_dm_object_name that are single quotes ('), whereas you need to use the backtick character (`)

| `drop_dm_object_name("All_Traffic")`

sainag_splunk · ‎06-15-2025

@nareshkareeti try

| tstats summariesonly=true count FROM datamodel=Network_Traffic WHERE (All_Traffic.src_ip=* OR All_Traffic.dest_ip=*) BY All_Traffic.src_ip, All_Traffic.dest_ip
| `drop_dm_object_name("All_Traffic")`

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

getting the error in splunk query

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

getting the error in splunk query

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!