Getting Data In

How to pass an argument to a macro and execute this macro repeatedly using "by source"?

tac24
New Member

Hi,

I would like to execute macro_with_args repeatedly using by source. How can I pass the arg_value to the macro?

Context: syslog-like events from over thousands sites for a given time range are saved in each site-source-file. As a whole, …zip file is added to Splunk. For one site-source-file, I made search series and got a desired result (a), then defined the macro_with_args by extracting a core search series from (a) as (b). The defined macro was tested alone and got the same result as (a) did.

(a)

index=… sourcetype=… source=specific-file-name-within…zip-file | series of search  |  stats  perc50(X) dc(Y)  values(Z)

(b)

macro name: perSITEinfo_with_args(1)
definition: search source=$in_source$ | series of search | stats perc50(X) dc(Y) values(Z)
args: in_source

As a new search, I expected the following search (c) work, but got no results:

(c)

index=…  sourcetype=…   | `perSITEinfo_with_args(source)` by source

Q1: How can I pass the arg_value to the macro?
Q2: Does this approach (macro call repeatedly) work?
If not, what is another approach? Sub search?
It is appreciated if a “transformation” way from macro approach to another approach were explained.

0 Karma

DalJeanis
Legend

If the "series of search" is the same for all different sources, then you don't need a macro, although you could build one for the "source=" list below. Try this -

  index=…  sourcetype=…  (source=filename1withinzip OR source=filename1withinzip OR source=filename1withinzip ...) | series of search | stats perc50(X) dc(Y) values(Z) by source
0 Karma

fdi01
Motivator

try like
(c) index=… sourcetype=… | perSITEinfo_with_args(specific-file-name-source-within…zip-file) by source

or
definition: search index=… sourcetype=… $in_source$ | series of search | stats perc50(X) dc(Y) values(Z) by source

after run with source=specific-file-name-source args like this :
perSITEinfo_with_args(source=specific-file-name-within…zip-file)

0 Karma

tac24
New Member

Hi, fdi01, thanks for your answer.
I tried your two solutions, unfortunately, they did not work.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...