Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Spl query is not working

jaibalaraman
Path Finder
‎08-21-2024 03:51 PM

Hi Team 

Could you please advice why the below query is not showing any data 

" `secrpt-active-users($select321$)`"

 

Thanks 

Labels (3)
0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:12 PM

When i navigate to check the token, i find the below 

jaibalaraman_1-1724289064147.png

 

However i am not sure , is token existing or do i need to create new one. 
1 - If i want to create a new token how should i map the spl query to this token ??

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:24 PM

Those are different tokens.

Things in your SPL that have $xxx$ are dashboard tokens and are set by logic in the dashboard, either through an input or through some drilldown.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:10 PM

When i am trying to expand the macro, i am getting the below error message 

jaibalaraman_0-1724288994815.png

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:26 PM

Is your problem from a search in a dashboard or a raw search in the search bar?

I suspect this is two issues - the first dashboard issue is a token issue and this is missing the ldapfilter command.

Is this your dashboard - if you do not have access to the ldapfilter command then even if you fix the token you make not get your search working.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 08:26 PM

Problem from dashboard, this dashboard comes with default package of ITSI which i am trying to do reverse engineering fixing the dashboard

How do i fix this issue 

jaibalaraman_0-1724297166253.png

 

What is ldapfilter command ? and how do i fix the token issue

 

 

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 06:08 PM

Sorry the "" its my post 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2024 06:01 PM

If this is in a dashboard, then that $select321$ looks to be a token and if that token has not been set you will get the message you are seeing.

On a separate point, are the double quotes surrounding the SPL or is that your post? Because it looks like it is a macro, but if the double quotes are really surrounding the macro, then it's not a macro, but a string.

Anyway, the token is your problem.

0 Karma
Reply

jaibalaraman
Path Finder
‎08-21-2024 03:51 PM

jaibalaraman_0-1724280699333.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top