topic Re: Preventing format from being called on a subsearch in Splunk Search

Preventing format from being called on a subsearch

cphair — Fri, 03 May 2013 20:40:03 GMT

Hello,

I have a macro (a subsearch enclosed in square brackets) that I use to filter my initial search. I would like to do some regex magic on the search string that format creates. Unfortunately, if I call format and do parsing on the search field, a second format seems to be implicitly called at the end of the macro, and it encloses the regexed search string in an extra set of quotes and double parentheses, which confuses the outer search. Is there a way either to prevent format from being called at all, or to keep it from enclosing the field in quotes?

Re: Preventing format from being called on a subsearch

martin_mueller — Fri, 03 May 2013 21:11:49 GMT

When I do this

[gentimes start=-1 increment=8h | fields starthuman | format | eval search = replace(search, "\(", "{") | eval search = replace(search, "\)", "}")]

there is no extra format being called, and splunk's litsearch literally does look for curly braces - what are you doing differently?

Re: Preventing format from being called on a subsearch

cphair — Fri, 03 May 2013 21:28:48 GMT

I'm playing with parsing input from a dashboard textbox. It's something like this.

If I run it in the search bar without the brackets and paste the resulting query in my outer search, it works fine. When I call it as a macro, it doesn't. If I run it in the search bar with the square brackets included, it adds an extra ((" and ")) on either side of the string, which I'm guessing is how the search sees it.

Re: Preventing format from being called on a subsearch

martin_mueller — Fri, 03 May 2013 21:37:22 GMT

Hmm. Two thoughts - first, you can replace dummy search | head 1 with stats count to use up zero resources whatsoever and second, have you considered using eval-based macros instead of the subsearch?

Re: Preventing format from being called on a subsearch

cphair — Mon, 06 May 2013 14:22:18 GMT

stats count actually takes several seconds to return a single event. I can't write the macro as a single eval statement because of the regex requirements, and I have never gotten eval-based macros to work in a more complicated format.

Re: Preventing format from being called on a subsearch

martin_mueller — Mon, 06 May 2013 14:33:59 GMT

That's odd on the stats, provided you have no search in front of it the stats just has to go "Oh - no events, print out count=0 and be done!" in no time at all.

Re: Preventing format from being called on a subsearch

cphair — Mon, 06 May 2013 14:40:03 GMT

Actually, if I use index=null splunk_server=localhost | stats count, that returns relatively quickly--it's the going out to the distributed search peers that makes it take forever. But at any rate, getting the returned macro string correct is my bigger concern.

Re: Preventing format from being called on a subsearch

cphair — Tue, 07 May 2013 13:48:12 GMT

Figured it out. I can just call return at the end of the macro and it doesn't reapply the formatting.