Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Macro not working while used in dashboard, while it is working in search bar.

anooshac
Communicator
‎09-18-2024 10:09 PM

Hi All,

I have written a macro to get a field. It has 3 joins. When i used the macro in dashboard , in a base search, it is not working properly and gives very less results.

But when i use the macro in search bar it gives correct results.
Does anyone know how can i solve this?

Labels (2)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2024 12:15 AM

Variables in a macro are surrounded by dollar signs e.g. $var$. Tokens in a dashboard are also surrounded by dollar signs e.g. $token$. When a macro with variables is used in a dashboard, the dollar signs have to be doubled-up e.g. $$var$$ otherwise the dashboard will assume they are tokens and probably the search will be waiting on user input to give the token ($var$) a value.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-18-2024 10:41 PM

The subject is too generic without knowing what the macro consists of.  But if there is no obvious error messages, the problem could be in permissions of knowledge objects (lookups, extractions/transforms, calculated fields, etc.) used in the macro.

First, of course, check if the macro itself is shared in the app where the dashboard runs.  Then, is there any lookup used in the macro that is not shared with this app?  And so on, and so forth.

0 Karma
Reply

anooshac
Communicator
‎09-18-2024 11:01 PM

Hi, @yuanliu , the macro is shared in app, and i don't use any lookup files in the macro. I use join in the macro to get the data from 3 different source types.

Is the join causing the issue?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-18-2024 11:08 PM

Lookup is just one type of knowledge object.  Field extractions, transforms, calculated fields, event types, tags, etc., etc., can all have limited permissions if any of your subsearches use those.  For example, you think a field is available to you, and it appears to be available to you in search window because you are the owner of that private extraction.  But the field may not be available when another user runs the dashboard.  Again, this is just another example.

0 Karma
Reply

anooshac
Communicator
‎09-19-2024 03:22 AM

After debugging in so many ways found out that a field im using in the query does not include empty values of the field while "All" is selected.

Do you know how can i include empty values also when "All" is selected in multiselect dropdown?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2024 04:01 AM

From what you are saying and reading between the lines between the lines, I am guessing that when All is chosen, the value of the token is set to "*". When this is used in a search e.g. field=$token$, the "*" will equate to all non-null values, which is why your search is not dealing with "empty values". To get around this, you may have to change the way the token is set up and the way it is used. For example, if you change the value prefix to be <valuePrefix>field="</valuePrefix> and the value suffix to the <valueSuffix>"</valueSuffix>, then treat the choice of "All" to set an empty token, then your search can use $token$ instead of field=$token$

This is something that is easier to do in Classic/SimpleXML dashboards than Studio.

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top