Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Spl query is not working

jaibalaraman
Path Finder
‎08-21-2024 03:51 PM

Hi Team 

Could you please advice why the below query is not showing any data 

" `secrpt-active-users($select321$)`"

 

Thanks 

Labels (3)
0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:12 PM

When i navigate to check the token, i find the below 

jaibalaraman_1-1724289064147.png

 

However i am not sure , is token existing or do i need to create new one. 
1 - If i want to create a new token how should i map the spl query to this token ??

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:24 PM

Those are different tokens.

Things in your SPL that have $xxx$ are dashboard tokens and are set by logic in the dashboard, either through an input or through some drilldown.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:10 PM

When i am trying to expand the macro, i am getting the below error message 

jaibalaraman_0-1724288994815.png

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:26 PM

Is your problem from a search in a dashboard or a raw search in the search bar?

I suspect this is two issues - the first dashboard issue is a token issue and this is missing the ldapfilter command.

Is this your dashboard - if you do not have access to the ldapfilter command then even if you fix the token you make not get your search working.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 08:26 PM

Problem from dashboard, this dashboard comes with default package of ITSI which i am trying to do reverse engineering fixing the dashboard

How do i fix this issue 

jaibalaraman_0-1724297166253.png

 

What is ldapfilter command ? and how do i fix the token issue

 

 

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:08 PM

Sorry the "" its my post 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:01 PM

If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing.

On a separate point, are the double quotes surrounding the SPL or is that your post? Because it looks like it is a macro, but if the double quotes are really surrounding the macro, then it's not a macro, but a string.

Anyway, the token is your problem.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 03:51 PM

jaibalaraman_0-1724280699333.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...