topic Re: Can I populate a macro from search results? in Knowledge Management

Can I populate a macro from search results?

poxx82 — Wed, 22 Nov 2017 05:28:08 GMT

Hi,

I am trying to take the results of a search that returns 1000 machines and search for them in an index. Not sure what the best way to accomplish this is...

I was attempting to create tokens with 100 machines in each (MACHINE="A" OR MACHINE="B" OR MACHINE="C") and put them in a macro - $token1$ $token2$ $token3$ ... etc. which would result in 1000 machines listed in the format above to search against an index - index="A" (macro). Is there a better way to create a list from a search and drop it into a macro? Right now the limitation I am running into is the amount of characters in a eval field.

Thanks.

Re: Can I populate a macro from search results?

hardikJsheth — Wed, 22 Nov 2017 07:00:28 GMT

Macros are not for this purpose. If I understood the requirement correctly you want to search for list of host from one query and then use this list in another query. Good option would be to use JOIN query or append query.

Re: Can I populate a macro from search results?

kamlesh_vaghela — Wed, 22 Nov 2017 08:12:48 GMT

You can try it with return command.
like..

index="A" [ search SECOND_SEARCH | return MACHINE]

SECOND_SEARCH is the logic which you want to pass in macro.

Please see return doc for more info.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Return

Re: Can I populate a macro from search results?

DalJeanis — Sat, 25 Nov 2017 04:22:29 GMT

In short, NO.

Macros are evaluated first, before any searching happens.

However, what you are asking for is pretty easy, with at least three different ways you can do it.

First, use a subsearch.

1) Create a search that gets you 1000 MACHINES (only that one field, in a table).
2) Put it in brackets
3) The system will execute the subsearch, return a value that looks like ( ( MACHINE="machine1" ) OR ( MACHINE="machine2" ) OR... )
4) you're done.

index=foo  [ your search that gets 1000 records | table MACHINE ]

SECOND METHOD -

1) Create a first search that saves the 1000 values for MACHINE to a lookup table
2) create a second search that uses | lookup mytable MACHINE OUTPUT MACHINE as foundme | where isnotnull(foundme)

THere are lots more.

Re: Can I populate a macro from search results?

woodcock — Sat, 25 Nov 2017 21:08:42 GMT

What you are really looking for is a subsearch. Here is a search that generates a list of 100 like you indicated:

| makeresults 
| eval MACHINE=mvrange(1,101)
| rex field=MACHINE mode=sed "s/^/MACHINE/"
| format

Really, though, I would read this list from a lookup and then it would be like this:

| inputlookup YourLookupWithListOfMachinesHere
| format

You could bury this inside of a macro but I really don't see the point. To use one, put it inside of square-brackets to define a subsearch in your main search like this:

index=foo [| inputlookup YourLookupWithListOfMachinesHere]