topic Using field values as paramaters for macros in Reporting

Using field values as paramaters for macros

stephanbuys — Tue, 25 May 2010 20:43:36 GMT

I am trying to create a macro that would take as it's input the result of an eval earlier in the search string, for example:

eval mytime=now() | extract_duplicate(mytime)

Is there a way to do this? mytime might even be substituted as part of a scheduled saved search (for example mytime=starttimeu) to collect summary index data.

Running the search with a literal works fine: extract_duplicate(1271816301)

Re: Using field values as paramaters for macros

gkanapathy — Tue, 25 May 2010 21:02:27 GMT

No it is not possible. Macros are distinct from functions, and are simple string substitutions and do not pass values. For this you would need functions. It is possible to "almost" do it, but it would require you to rewrite the macro, e.g.,

[extract_duplicate(1)]
args = a1
definition = eval mytime = $a1$ | blah xxx=mytime

called with:

`extract_duplicate(now())`

Separately, you can't get starttimeu either from within a search query. Also, starttimeeu is deprecated in favor of earliest.

Re: Using field values as paramaters for macros

Lowell — Wed, 26 May 2010 00:11:11 GMT

Hmm. This is not an answer to your question, exactly, but I suspect that since your talking about passing time values into macros and you're looking to use this for summary indexing, then I suspect that you may be trying to post-filter your search with something like a | where _time<my_field

If I'm wrong about this, then you can just ignore the rest.

I use the following macro as a post-search command that will drop off a given number of hours from the end of a search time range.

[si_txn_trim_h(1)]
args = hours
definition = addinfo | where _time < (info_max_time-($hours$*3600)) | fields - info_*
iseval = 0

I use the addinfo search command to get the info_max_time (or you can use the info_min_time, if you want the earliest value instead of the latest value).

Also note that I wrote this for Splunk 4.0. Now, I would recommend instead using the relative_time eval function instead of assuming "hours", which would be much more flexible. But for the purpose of comparison, I suspect I would replace this with the following in 4.1:

definition = addinfo | where _time < relative_time(info_max_time,"-$hours$h") | fields - info_*

Re: Using field values as paramaters for macros

stephanbuys — Thu, 27 May 2010 13:22:47 GMT

This is a great tip, I have also verified that you can use addinfo in subsearches of a scheduled search, so this will solve my problem. Thanks!

Re: Using field values as paramaters for macros

stephanbuys — Thu, 27 May 2010 13:25:55 GMT

Thank you! We were looking for function capabilities, but Lowell's solution will help us to get the search working.