https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134070#M1363 <P>I have tried it and it works. Thank its a nice start for me to make use of macros.</P> Fri, 08 Nov 2013 08:50:09 GMT crt89 2013-11-08T08:50:09Z https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134068#M1361 <P>Good day fellow Splunkers,</P> <P>I'm new to this macro in Splunk and I want to ask if this could be possible.</P> <P>I have 3 monitored folders, I want to start my search to just get the latest source of this 3 folders. So I was thinking can I do a macro search to first filter my sources. 1 for each directory. So I will only have 3 sources to search for my search string.</P> <P>The problem is I dont know how to configure the macro to pass the results of the macro search to a variable that I will be using for my search.</P> <P>my sample macro would be:</P> <P>host=host1 | stats latest(source) as host1_source_latest<BR /> (same for the other 2 directory)</P> <P>then my search would be source=[the results of the macro] | [my search string]</P> <P>This is what I'm planning to do, if there would be other approach it would be much appreciated.</P> <P>Thanks</P> Mon, 28 Sep 2020 15:14:01 GMT https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134068#M1361 crt89 2020-09-28T15:14:01Z https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134069#M1362 <P>You can use macros in subsearches as you normally would in non-sub-searches. For example, if you have this search</P> <PRE><CODE>my search string [search host=host1 | head 1 | fields source] </CODE></PRE> <P>where the subsearch will be evaluated to <CODE>source=foo</CODE>, you can replace the inner contents of the subsearch with a call to a macro. It could then look something like this:</P> <PRE><CODE>my search string [`macro`] </CODE></PRE> Fri, 08 Nov 2013 08:18:50 GMT https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134069#M1362 martin_mueller 2013-11-08T08:18:50Z https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134070#M1363 <P>I have tried it and it works. Thank its a nice start for me to make use of macros.</P> Fri, 08 Nov 2013 08:50:09 GMT https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134070#M1363 crt89 2013-11-08T08:50:09Z https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134071#M1364 <P>Note, I have modified the subsearch - should be a much faster way to grab the latest source.</P> Fri, 08 Nov 2013 09:01:36 GMT https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134071#M1364 martin_mueller 2013-11-08T09:01:36Z https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134072#M1365 <P>edit: forgot to change query strings. solved now. Thanks again</P> Fri, 08 Nov 2013 09:53:36 GMT https://community.splunk.com/t5/Knowledge-Management/macro-question-how-to-use-the-macro-search-results-to-another/m-p/134072#M1365 crt89 2013-11-08T09:53:36Z