Splunk Search

Macro not working while used in dashboard, while it is working in search bar.

anooshac
Communicator

Hi All,

I have written a macro to get a field. It has 3 joins. When i used the macro in dashboard , in a base search, it is not working properly and gives very less results.

But when i use the macro in search bar it gives correct results.
Does anyone know how can i solve this?

Labels (2)
Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Variables in a macro are surrounded by dollar signs e.g. $var$. Tokens in a dashboard are also surrounded by dollar signs e.g. $token$. When a macro with variables is used in a dashboard, the dollar signs have to be doubled-up e.g. $$var$$ otherwise the dashboard will assume they are tokens and probably the search will be waiting on user input to give the token ($var$) a value.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The subject is too generic without knowing what the macro consists of.  But if there is no obvious error messages, the problem could be in permissions of knowledge objects (lookups, extractions/transforms, calculated fields, etc.) used in the macro.

First, of course, check if the macro itself is shared in the app where the dashboard runs.  Then, is there any lookup used in the macro that is not shared with this app?  And so on, and so forth.

0 Karma

anooshac
Communicator

Hi, @yuanliu , the macro is shared in app, and i don't use any lookup files in the macro. I use join in the macro to get the data from 3 different source types.

Is the join causing the issue?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Lookup is just one type of knowledge object.  Field extractions, transforms, calculated fields, event types, tags, etc., etc., can all have limited permissions if any of your subsearches use those.  For example, you think a field is available to you, and it appears to be available to you in search window because you are the owner of that private extraction.  But the field may not be available when another user runs the dashboard.  Again, this is just another example.

0 Karma

anooshac
Communicator

After debugging in so many ways found out that a field im using in the query does not include empty values of the field while "All" is selected.

Do you know how can i include empty values also when "All" is selected in multiselect dropdown?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

From what you are saying and reading between the lines between the lines, I am guessing that when All is chosen, the value of the token is set to "*". When this is used in a search e.g. field=$token$, the "*" will equate to all non-null values, which is why your search is not dealing with "empty values". To get around this, you may have to change the way the token is set up and the way it is used. For example, if you change the value prefix to be <valuePrefix>field="</valuePrefix> and the value suffix to the <valueSuffix>"</valueSuffix>, then treat the choice of "All" to set an empty token, then your search can use $token$ instead of field=$token$

This is something that is easier to do in Classic/SimpleXML dashboards than Studio.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...