throughput_macro_raw() contains | bin _time span=$span_token$ As you showed, you call it as `throughput_macro_raw(span=1d)` Since macro is a simple text expansion, your $span_token$ is getting substituted for "span=1d" So your span=$span_token$ is getting thus expanded to span=span=1d That's how macro expansion works.

1. This has nothing to do (or at least not much) with parsing, more about summarizing data from your event. 2. Splunk seems to have problems with using spath when the names contain dots, so extracting the "a.com" part and splitting it might not be that easy.

@PickleRick If, in this case, I remove the span= from all the below macros, then how do the span values pass through? And span_token values coming from the dashboard. <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval> <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval> <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval> <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval> </change>  

1. Do you get _any_ data from this forwarder? Especially events into _internal index. 2. Do you see any errors in c:\program files\splunk (or SplunkUniversalForwarder, depending on version)\var\log\splunk\splunkd.log on the forwarder? 3. What is the output of splunk list monitor and splunk list inputstatus run on your UF?

As far as I can see, after you substitue your token you end up with (somewhere in the middle of your expanded macro) | bin _time span=span=1d Either remove the "span=" part from the macro definition or from the argument you're passing to it.

In your first not working screenshot, you have used an argument called "span" but the macro definition calls the argument "span_token", hence the error. For the second not working example, as I asked before, what exactly is not working? By the way, your dashboard source is incomplete so it could be something to do with the way you have set up span_token but you haven't shown this so I can't tell. Please provide all relevant information to maximise your chances of getting a solution.

Hi @sekhar463, I suppose that you already configured outputs.conf and that you're already reeving logs from that machine. Please try this: [monitor://C:\Program Files\Crestron\CCS400\User\Logs\CCSFirmwareUpdate.txt] index=Testindx sourcetype=test_sourcetype disabled=0 Ciao. Giuseppe

@ITWhisperer  There are two things what is "working" and "what is not working" Working : Below data model is giving the results. Not working :  When I use the data model under this macro`throughput_macro_raw(span=1d)` not giving any results.   Not working : As well in the dashboard below query is also not working <query>|`$macro_token$(span_token="$span_token$")` |strcat "raw" "," location group_name | timechart span=1d count by location   Please help me to execute and fix these queries

"not working fine" is not a useful phrase. Exactly, what is not working? What results are you getting? What results were you expecting? (I created a similar dashboard and macro arrangement and it works fine for me!)

Hi @Veerendra, it's a sample that I had to simplify, but you can see the approach: <form script="run_action.js" theme="light" version="1.1"> <label>Manage All Cases</label> <fieldset submitButton="false" autoRun="false"> <input type="radio" token="resetTokens" searchWhenChanged="true"> <label/> <choice value="reset">Reset Inputs</choice> <choice value="retain">Retain</choice> <default>reset</default> <change> <condition value="reset"> <unset token="_key"/> <unset token="timestamp"/> <unset token="alertname"/> <unset token="description"/> <unset token="status"/> <unset token="notes"/> <unset token="username"/> <unset token="status_to_update"/> <unset token="notes_to_update"/> <unset token="username_to_update"/> <unset token="status_updated"/> <unset token="notes_updated"/> <unset token="username_updated"/> <unset token="form._key"/> <unset token="form.timestamp"/> <unset token="form.alertname"/> <unset token="form.description"/> <unset token="form.status"/> <unset token="form.notes"/> <unset token="form.user"/> <unset token="form.status_to_update"/> <unset token="form.notes_to_update"/> <unset token="form.username_to_update"/> <unset token="form.status_updated"/> <unset token="form.notes_updated"/> <unset token="form.username_updated"/> <set token="resetTokens">retain</set> <set token="form.resetTokens">retain</set> </condition> </change> </input> </fieldset> <row> <panel> <input type="dropdown" token="User_Name"> <label>User Name</label> <choice value="*&quot; OR NOT User_Name=&quot;*">All</choice> <prefix>User_Name="</prefix> <suffix>"</suffix> <fieldForLabel>User_Name</fieldForLabel> <fieldForValue>User_Name</fieldForValue> <search> <query> | inputlookup open_cases | dedup User_Name | sort User_Name | table User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*" OR NOT User_Name="*</default> </input> <input type="dropdown" token="Status"> <label>Status</label> <choice value="*">All</choice> <prefix>Status="</prefix> <suffix>"</suffix> <fieldForLabel>Status</fieldForLabel> <fieldForValue>Status</fieldForValue> <search> <query> | inputlookup open_cases WHERE Status!="Escalation" | dedup Status | sort Status | table Status </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <input type="dropdown" token="Alert_Name"> <label>Alert Name</label> <choice value="*">All</choice> <prefix>Alert_Name="</prefix> <suffix>"</suffix> <fieldForLabel>Alert_Name</fieldForLabel> <fieldForValue>Alert_Name</fieldForValue> <search> <query> | inputlookup open_cases | dedup Alert_Name | sort Alert_Name | table Alert_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <table id="master"> <title>Total All Cases = $server_count$</title> <search> <query> | inputlookup open_cases WHERE $User_Name$ $Status$ $Alert_Name$ Status!="Escalation" | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time Alert_Name Description Status Notes User_Name TimeStamp </query> <!--<earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest>--> <sampleRatio>1</sampleRatio> <progress> <set token="server_count">$job.resultCount$</set> </progress> <cancelled> <unset token="server_count"/> </cancelled> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <fields>["_key","Time","Alert_Name","Description","Status","Notes","User_Name"]</fields> <drilldown> <set token="key">$row.key$</set> <set token="timestamp">$row.TimeStamp$</set> <set token="alertname">$row.Alert_Name$</set> <set token="description">$row.Description$</set> <set token="status">$row.Status$</set> <set token="notes">$row.Notes$</set> <set token="username">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Modify Row</title> <input type="dropdown" token="status_to_update"> <label>Status</label> <default>$status$</default> <search> <query/> </search> <choice value="Closed">Closed</choice> <choice value="Work-in-progress">Work-in-progress</choice> <choice value="Escalation">Escalation</choice> <choice value="Stand-By">Stand-By</choice> </input> <input type="text" token="notes_to_update"> <label>Add Notes</label> <default>$notes$</default> </input> <table id="detail" depends="$key$"> <title>Row to modify</title> <search> <query> | makeresults 1 | eval key="$key$", TimeStamp="$timestamp$", Alert_Name="$alertname$", Description="$description$", Status="$status_to_update$", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S"), User_Name="$username$" | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key,Time,Alert_Name,Description,Status,Notes,User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="status_updated">$row.Status$</set> <set token="notes_updated">$row.Notes$</set> <set token="username_updated">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <table id="detail2" depends="$status_to_update$"> <title>Modified Lookup row</title> <search> <query> | inputlookup open_cases | eval Status=if(_key="$key$","$status_updated$",Status), Notes=if(_key="$key$","$notes_updated$",Notes), User_Name=if(_key="$key$","$username_updated$",User_Name) | search _key="$key$" | outputlookup open_cases append=true | eval key=_key | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key,Time,Alert_Name,Description,Status,Notes,User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> My use case was more complicated that you because I had to manually modify some fields, in your use case you can automaticall update the values. I hope that this can help. Ciao. Giuseppe