Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Macro not working while used in dashboard, while it is working in search bar.

anooshac
Communicator
‎09-18-2024 10:09 PM

Hi All,

I have written a macro to get a field. It has 3 joins. When i used the macro in dashboard , in a base search, it is not working properly and gives very less results.

But when i use the macro in search bar it gives correct results.
Does anyone know how can i solve this?

Labels (2)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2024 12:15 AM

Variables in a macro are surrounded by dollar signs e.g. $var$. Tokens in a dashboard are also surrounded by dollar signs e.g. $token$. When a macro with variables is used in a dashboard, the dollar signs have to be doubled-up e.g. $$var$$ otherwise the dashboard will assume they are tokens and probably the search will be waiting on user input to give the token ($var$) a value.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-18-2024 10:41 PM

The subject is too generic without knowing what the macro consists of.  But if there is no obvious error messages, the problem could be in permissions of knowledge objects (lookups, extractions/transforms, calculated fields, etc.) used in the macro.

First, of course, check if the macro itself is shared in the app where the dashboard runs.  Then, is there any lookup used in the macro that is not shared with this app?  And so on, and so forth.

0 Karma
Reply

anooshac
Communicator
‎09-18-2024 11:01 PM

Hi, @yuanliu , the macro is shared in app, and i don't use any lookup files in the macro. I use join in the macro to get the data from 3 different source types.

Is the join causing the issue?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-18-2024 11:08 PM

Lookup is just one type of knowledge object.  Field extractions, transforms, calculated fields, event types, tags, etc., etc., can all have limited permissions if any of your subsearches use those.  For example, you think a field is available to you, and it appears to be available to you in search window because you are the owner of that private extraction.  But the field may not be available when another user runs the dashboard.  Again, this is just another example.

0 Karma
Reply

anooshac
Communicator
‎09-19-2024 03:22 AM

After debugging in so many ways found out that a field im using in the query does not include empty values of the field while "All" is selected.

Do you know how can i include empty values also when "All" is selected in multiselect dropdown?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-19-2024 04:01 AM

From what you are saying and reading between the lines between the lines, I am guessing that when All is chosen, the value of the token is set to "*". When this is used in a search e.g. field=$token$, the "*" will equate to all non-null values, which is why your search is not dealing with "empty values". To get around this, you may have to change the way the token is set up and the way it is used. For example, if you change the value prefix to be <valuePrefix>field="</valuePrefix> and the value suffix to the <valueSuffix>"</valueSuffix>, then treat the choice of "All" to set an empty token, then your search can use $token$ instead of field=$token$

This is something that is easier to do in Classic/SimpleXML dashboards than Studio.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...