topic Don't get eval based macros in Splunk Search

Don't get eval based macros

andersmholmgren — Fri, 09 Dec 2011 00:59:39 GMT

I just can't seem to understand how the eval based macros are supposed to work

I wrote a very simple macro

[TEST]
definition = "TEST"
iseval = 1

then a query to test the output

index=_audit | head 1 | eval test1=`TEST`  | eval test2=tostring(`TEST`) | table test*

The output is one column 'test2' with a value of Null

Why is that? Shouldn't the value be "TEST" for both columns? If not why not?

Re: Don't get eval based macros

genthaler — Fri, 09 Dec 2011 03:10:10 GMT

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

Re: Don't get eval based macros

gkanapathy — Fri, 09 Dec 2011 06:56:36 GMT

An eval-based macro returns a string, which is substituted into the query. Your macro returns the string TEST, without quotes, so you are getting:

... | eval test1=TEST  | eval test2=tostring(TEST) | ...

In this case, TEST is used as the name of a non-existent variable. You can get what you intended either with @genthaler's answer, or by putting the quotes in the query:

... | eval test1="`TEST`"  | eval test2=tostring("`TEST`") | ...

Re: Don't get eval based macros

genthaler — Fri, 09 Dec 2011 13:37:14 GMT

Hi @gkanapathy,
I just tried it, unfortunately quoted macro invocations don't get invoked.
So instead of "TEST", you end up with the literal string "`TEST`".