topic Re: pass field value in search as an argument to be used in a macro in Splunk Enterprise Security

pass field value in search as an argument to be used in a macro

hexerino — Tue, 29 Sep 2020 23:47:23 GMT

Hi,

I am trying to figure out how to pass a field value in the search to a macro which interprets it and does further processing through a lookup table.

I have consulted multiple threads but due to karma cannot link to them. Currently my approach is as follows:

index=my_index my_custom_field="the_value_to_filter_for" | map search="|`my_processing_macro($my_custom_field_)`"

Macro: my_processing_macro(1) (argument defined as name)

lookup my_lookup_table_def $name$ as lookup_table_column1

Lookup table (CSV-format): linked to lookup table definition

lookup_table_column1,lookup_table_column2
value_i_pass_in_macro, value_i_want_returned

So in short, the value I pass in my_custom_field corresponds to a column1 row in the lookup table. Basically column 2 contains the regex or other macro's to expand during processing.

Re: pass field value in search as an argument to be used in a macro

lakshman239 — Tue, 26 Mar 2019 11:13:10 GMT

The below search should work .. are you seeing any errors? You need $$ and test your macros by using both |yourmacro(1)` pipe and without pipe and adjust

index=my_index my_custom_field="the_value_to_filter_for" | map search=" search `my_processing_macro($my_custom_field$)`"

Re: pass field value in search as an argument to be used in a macro

hexerino — Thu, 28 Mar 2019 10:26:02 GMT

After long deliberation we decided to adopt a different filtering strategy. This method worked after some alteration. Thank you for your suggestion !

Re: pass field value in search as an argument to be used in a macro

lakshman239 — Thu, 28 Mar 2019 12:03:25 GMT

Glad it helped. Pls vote to accept the comment/answers and also post your answers for future readers.