topic Re: Splunk macro in search string in Knowledge Management

Splunk macro in search string

karthikmalla — Tue, 31 Oct 2017 03:47:22 GMT

I created a Macro with name auth(1), app is ES, argument is src and the definition is

| from datamodel:"Authentication"."Authentication" | search (src="$src$" OR Authentication.src="$src$" OR dest="$src$" OR Authentication.dest="$src$") | eval username=user_first+" "+user_last | eval phone=if(isnull(user_phone), user_phone2, user_phone) | rename user_managedBy as userid, user_email as email, WorkstationName as workstation | fields username, email, userid, phone, workstation

And I am trying to call this Macro in a ES search as

sourcetype=*someexamplesourcetype* auth(src) and this didn't work

I also tried like
sourcetype=*someexamplesourcetype* auth("10.20.30.40") and this didn't work too
sourcetype=*someexamplesourcetype* auth(1) and this didn't work too

When I try like

sourcetype=*someexamplesourcetype* auth I am getting error message as

Error in 'SearchParser': The search specifies a macro 'auth' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Note There are backticks in front of auth and auth(src) as you know this will be converted to code format I removed backticks in this question.

I assigned the Macro access to global with read & write for everyone, still the error message appears.

Re: Splunk macro in search string

hardikJsheth — Tue, 31 Oct 2017 10:40:04 GMT

Hi @karthikmalla,

I think you need to make it Global and read permission is needed for the macro. I can see one issue with the defination of your macro, you need to remove first "I" from the macro defination.

from datamodel:"Authentication"."Authentication" | search (src="$src$" OR Authentication.src="$src$" OR dest="$src$" OR Authentication.dest="$src$") | eval username=user_first+" "+user_last | eval phone=if(isnull(user_phone), user_phone2, user_phone) | rename user_managedBy as userid, user_email as email, WorkstationName as workstation | fields username, email, userid, phone, workstation

Re: Splunk macro in search string

karthikmalla — Tue, 31 Oct 2017 22:23:20 GMT

Still not working. How should I call the macro in search? Is that like?

sourcetype=* auth("10.20.30.40") and back ticks in the beginning & ending of auth("10.20.30.40"). ?

Re: Splunk macro in search string

romanwaldecker — Sun, 29 Sep 2019 16:31:15 GMT

You forgot to embed the macro into the ` ` characters.
Like this:
`auth(src)`

PS: Yes, I know this is a really delayed answer and the problem most likely has already been solved. Just a help for users having with a similar issue.