https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701428#M237930 <P>That's what i'm finding as well.&nbsp; I'm curious if there's a round-about way to do this.&nbsp; Maybe using that string as a token in a dashboard?</P> Wed, 09 Oct 2024 14:13:04 GMT apiprek2 2024-10-09T14:13:04Z https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701369#M237909 <P>Hi</P><P>I'm wondering if it's possible to define and execute a macro from a lookup.&nbsp; I have an index with several (about 50) user actions, which aren't named in a user friendly manner.&nbsp; Additionally, each action has different fields, which I'd like to extract using inline rex queries.&nbsp; In short, I'd like a table with the following:</P><TABLE border="1" width="120.6193339521025%"><TBODY><TR><TD width="25%" height="24px"><STRONG>Time</STRONG></TD><TD width="25%" height="24px"><STRONG>UserName</STRONG></TD><TD width="89.36781609195403%" height="24px"><STRONG>Message</STRONG></TD></TR><TR><TD width="25%" height="24px">10:00 a.m.</TD><TD width="25%" height="24px">JohnDoe</TD><TD width="89.36781609195403%" height="24px">This is action1.&nbsp; Details for action1.</TD></TR><TR><TD>10:01 a.m.</TD><TD>JohnDoe</TD><TD>This is action2.&nbsp; Details for action2.</TD></TR><TR><TD>10:02 a.m.&nbsp;</TD><TD>JohnDoe</TD><TD>This is action3.&nbsp; Details for action3.</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I know can define a friendly name for the action using a lookup.&nbsp; I can also do the rex field extractions and compose a details field using a macro for each action.&nbsp; However, is there a way to also rex the fields and define the details in a lookup?&nbsp;&nbsp;</P><P>I was thinking of creating a lookup like this:</P><TABLE border="1" width="125.69341879294156%"><TBODY><TR><TD width="14.246231155778895%" height="24px"><STRONG>Action</STRONG></TD><TD width="24.56107698988771%" height="24px"><STRONG>FriendlyDescription</STRONG></TD><TD width="105.637351546959%" height="24px"><STRONG>MacroDefinition</STRONG></TD></TR><TR><TD width="14.246231155778895%" height="24px">action1</TD><TD width="24.56107698988771%" height="24px">"This is action1"</TD><TD width="105.637351546959%" height="24px">| rex to extract fields for action1 | eval for Details for action1</TD></TR><TR><TD width="14.246231155778895%" height="29px">action2</TD><TD width="24.56107698988771%" height="29px">"This is action2"</TD><TD width="105.637351546959%" height="29px">| rex to extract fields for action2&nbsp;| eval for Details for action2</TD></TR><TR><TD width="14.246231155778895%" height="24px">action3</TD><TD width="24.56107698988771%" height="24px">"This is action3"</TD><TD width="105.637351546959%" height="24px">| rex to extract fields for action3 | eval for Details for action3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I was thinking about something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=MyIndex source=MySource | lookup MyLookup.csv ActionId OUTPUT FriendlyDescription, MacroDefinition `code to execute MacroDefinition` |table _time, UserName, FriendlyDescription, Details for action</LI-CODE><P>&nbsp;</P><P>I'm not sure if i'm barking up the wrong tree, but the reason I'd like to do this in one place (a lookup) instead of 50 different macro definitions.&nbsp; It'd be neat to have all the code in one place.</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Nov 2024 21:37:48 GMT https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701369#M237909 apiprek2 2024-11-04T21:37:48Z https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701378#M237913 <P>Macros are expanded before the resultant SPL is parsed and executed which probably means that macros stored in a lookup are not expanded.</P> Tue, 08 Oct 2024 23:01:29 GMT https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701378#M237913 ITWhisperer 2024-10-08T23:01:29Z https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701428#M237930 <P>That's what i'm finding as well.&nbsp; I'm curious if there's a round-about way to do this.&nbsp; Maybe using that string as a token in a dashboard?</P> Wed, 09 Oct 2024 14:13:04 GMT https://community.splunk.com/t5/Splunk-Search/Run-macro-commands-from-lookup/m-p/701428#M237930 apiprek2 2024-10-09T14:13:04Z