topic Re: Macros using data from search in Knowledge Management

Macros using data from search

phoenixdigital — Fri, 15 Feb 2013 05:11:11 GMT

Seems like a pretty simple thing I am trying to do but it wont work.

I have some bitwise data which I want to convert into a string equivalent. So in this example I want to see if bit 0 or bit 1 is set.
Bit0 = This Text
Bit1 = That Text

This search works perfectly

sourcetype=blah | eval desc=if(floor(bitData)%2>0,"This Text, ","") | eval desc=desc+ if(floor(bitData/2)%2>0,"That Text, ","") | table _time, bitData, desc

Now I actually have 16 bitfields and want to reuse this eval chain quite a bit so thought I would make a macro out of it.

However this does not work

Macro definition

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") | eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

This search does not work though

    sourcetype=blah | `myMacro(bitData)` | table _time, bitData, desc

I get the errors

Error in 'SearchParser': Missing a search command before ' '.
Unknown search command 'gen'.

What gives here?

Re: Macros using data from search

Ron_Naken — Fri, 15 Feb 2013 06:46:36 GMT

There doesn't appear to be anything wrong with your syntax. Click the blue [i] next to the printer icon on the right of the search bar, after executing your search. Scroll down to eventSearch to see how your macro is being expanded in the search. It's likely a typo.

Re: Macros using data from search

jonuwz — Fri, 15 Feb 2013 08:41:25 GMT

The fields in a macro are named. You need to pass the field into the macro like this :

sourcetype=blah | `myMacro(bitData=bitData)` | table _time, bitData, desc

Re: Macros using data from search

phoenixdigital — Sat, 16 Feb 2013 00:46:23 GMT

Finally worked it out. Turns out you cannot have newlines in macros but you can in a search.

So my example above was not entirely correct it should have been.

Working search

sourcetype=blah | 
eval desc=if(floor(bitData)%2>0,"This Text, ","") | 
eval desc=desc+ if(floor(bitData/2)%2>0,"That Text, ","") |
table _time, bitData, desc

Macro that doesn't work

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") |
eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

Macro that does work

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") | eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

I have them all on newlines as there are 16 rows for the entire macro and I wanted it to be readable and easy to edit.

So its a bit inconsistent that newlines are allowed in a search but not in a macro. Should I submit this as a bug?

Thanks to those that tried to assist.

Re: Macros using data from search

DalJeanis — Mon, 06 Feb 2017 15:04:36 GMT

That middle section would be
| myMacro(bitField=bitData)