Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard base search cannot use macros

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-26-2017 03:42 PM

I've come to find out that one cannot use macros within join statements in dashboards have base searches (driving multiple/all panels in the dashboard).

For example, the following code doesn't work:

<dashboard>
  <label>mylabel</label>
  <search id="base">
    <query>index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | **`mymacro`** | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]     </query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <title>Total Customers</title>
      <single>
        <search base="base">
          <query>| table customer | dedup customer | stats count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

but if I take the macro out of the join statement, it will work:

<dashboard>
  <label>mylabel</label>
  <search id="base">
    <query>index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]     </query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <title>Total Customers</title>
      <single>
        <search base="base">
          <query>| table customer | dedup customer | stats count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

where the macro mymacro expands to:

rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId

Has anyone seen this before? Occurs in 6.4.x and 6.5.x - and if so is there a way around it?

Reply

gvmorley
Contributor
‎02-10-2017 02:03 AM

Hi,

Have you tried putting your query inside a <![CDATA[]]> tag?

So like this:

<query>
    <![CDATA[index=some_index sourcetype="mysourcetype" earliest=-30d@d
    | `mymacro`
    | search [search index=customer_index | `mymacro` | table customer | dedup customer]
    | stats count by field1 field2 field3
    | lookup mylookup customer OUTPUT customer_name as "Customer"
    | join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]]]>
</query>

This should hopefully get around all of the tedious &gt; and &lt; issues.

This is hidden away in this Splunk doc: Special Characters in XML Files

Reply

pgreer_splunk
Splunk Employee
Splunk Employee
‎01-26-2017 03:57 PM

After posting this (and editing it for clarity) I believe I've found the culprit, the macro expands to have the characters '<' and '>' which do not work all that well in XML and should instead be coded as

&lt;

&gt;

So the question is: if the macro has characters such as '>' and '<' - they work outside of the join (such as in the base search itself, or in a subsearch of a search command) - but they do NOT work within the join....

Is there a way to have the macro expand in a manner that it will be properly encoded within the XML within the join command?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...