https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94437#M24347 <P>Thanks .Worked with : definition = "127.0.0.1"</P> Fri, 11 Oct 2013 14:22:44 GMT klausJohan 2013-10-11T14:22:44Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94431#M24341 <P>Hello,</P> <P>Could someone explain what am I doing wrong in using a macro ?</P> <P>Here is the macros.conf file </P> <PRE><CODE>[GET_IP] definition = 127.0.0.1 </CODE></PRE> <P>The search query I intend to use is :</P> <PRE><CODE>source="mySource" AND object.ip_address='GET_IP' </CODE></PRE> <P>However, if I paste the above query in the search bar I obtain no result . On the other hand if I do the same thing for the expanded query <CODE>(source="mySource" AND object.ip_address=127.0.0.1)</CODE> I get all the events back .</P> Fri, 11 Oct 2013 12:32:03 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94431#M24341 klausJohan 2013-10-11T12:32:03Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94432#M24342 <P>You need to use backticks, not quotes, and probably make it eval macro.</P> <P>macros.conf<BR /> <CODE>[GET_IP]<BR /> definition = "\"127.0.0.1\""<BR /> iseval = true</CODE></P> <P><CODE><BR /> source="mySource" object.ip_address=<BACKTICK>GET_IP<BACKTICK><BR /> </BACKTICK></BACKTICK></CODE></P> Mon, 28 Sep 2020 14:57:04 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94432#M24342 alacercogitatus 2020-09-28T14:57:04Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94433#M24343 <P>The "backtip " opened my eyes about how to properly use a macro in a search. Now I obtain an error : Error in 'SearchParser': Could not find macro 'GET_IP' that takes 0 arguments. Expecting stanza name 'GET_IP'.</P> Mon, 28 Sep 2020 14:57:07 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94433#M24343 klausJohan 2020-09-28T14:57:07Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94434#M24344 <P>try this url: <CODE><A href="http://your_splunk:8000/en-US/debug/refresh/?entity=admin/macros" target="test_blank">http://your_splunk:8000/en-US/debug/refresh/?entity=admin/macros</A></CODE> and then try your search again.</P> Fri, 11 Oct 2013 13:01:36 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94434#M24344 alacercogitatus 2013-10-11T13:01:36Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94435#M24345 <P>Thanks. I'm still getting an error back . This time is "Error in 'SearchParser': The definition of macro 'GET_IP' is expected to be an eval expression that returns a string"</P> Fri, 11 Oct 2013 13:09:29 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94435#M24345 klausJohan 2013-10-11T13:09:29Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94436#M24346 <P>try your initial definition.</P> Fri, 11 Oct 2013 13:13:41 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94436#M24346 alacercogitatus 2013-10-11T13:13:41Z https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94437#M24347 <P>Thanks .Worked with : definition = "127.0.0.1"</P> Fri, 11 Oct 2013 14:22:44 GMT https://community.splunk.com/t5/Splunk-Search/Macro-returns-no-result-when-applied/m-p/94437#M24347 klausJohan 2013-10-11T14:22:44Z