Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Spl query is not working

jaibalaraman
Path Finder
‎08-21-2024 03:51 PM

Hi Team 

Could you please advice why the below query is not showing any data 

" `secrpt-active-users($select321$)`"

 

Thanks 

Labels (4)
0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:12 PM

When i navigate to check the token, i find the below 

jaibalaraman_1-1724289064147.png

 

However i am not sure , is token existing or do i need to create new one. 
1 - If i want to create a new token how should i map the spl query to this token ??

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:24 PM

Those are different tokens.

Things in your SPL that have $xxx$ are dashboard tokens and are set by logic in the dashboard, either through an input or through some drilldown.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:10 PM

When i am trying to expand the macro, i am getting the below error message 

jaibalaraman_0-1724288994815.png

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:26 PM

Is your problem from a search in a dashboard or a raw search in the search bar?

I suspect this is two issues - the first dashboard issue is a token issue and this is missing the ldapfilter command.

Is this your dashboard - if you do not have access to the ldapfilter command then even if you fix the token you make not get your search working.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 08:26 PM

Problem from dashboard, this dashboard comes with default package of ITSI which i am trying to do reverse engineering fixing the dashboard

How do i fix this issue 

jaibalaraman_0-1724297166253.png

 

What is ldapfilter command ? and how do i fix the token issue

 

 

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:08 PM

Sorry the "" its my post 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:01 PM

If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing.

On a separate point, are the double quotes surrounding the SPL or is that your post? Because it looks like it is a macro, but if the double quotes are really surrounding the macro, then it's not a macro, but a string.

Anyway, the token is your problem.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 03:51 PM

jaibalaraman_0-1724280699333.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...