Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass an argument to a macro and execute this macro repeatedly using "by source"?

tac24
New Member
‎02-25-2016 08:23 PM

Hi,

I would like to execute macro_with_args repeatedly using by source. How can I pass the arg_value to the macro?

Context: syslog-like events from over thousands sites for a given time range are saved in each site-source-file. As a whole, …zip file is added to Splunk. For one site-source-file, I made search series and got a desired result (a), then defined the macro_with_args by extracting a core search series from (a) as (b). The defined macro was tested alone and got the same result as (a) did.

(a) 

index=… sourcetype=… source=specific-file-name-within…zip-file | series of search  |  stats  perc50(X) dc(Y)  values(Z)

(b)

macro name: perSITEinfo_with_args(1)
definition: search source=$in_source$ | series of search | stats perc50(X) dc(Y) values(Z)
args: in_source

As a new search, I expected the following search (c) work, but got no results:

(c) 

index=…  sourcetype=…   | `perSITEinfo_with_args(source)` by source

Q1: How can I pass the arg_value to the macro?
Q2: Does this approach (macro call repeatedly) work?
If not, what is another approach? Sub search?
It is appreciated if a “transformation” way from macro approach to another approach were explained.

0 Karma
Reply

DalJeanis
Legend
‎01-05-2017 12:30 PM

If the "series of search" is the same for all different sources, then you don't need a macro, although you could build one for the "source=" list below. Try this - 

  index=…  sourcetype=…  (source=filename1withinzip OR source=filename1withinzip OR source=filename1withinzip ...) | series of search | stats perc50(X) dc(Y) values(Z) by source
0 Karma
Reply

fdi01
Motivator
‎02-26-2016 03:47 AM

try like
(c) index=… sourcetype=… | perSITEinfo_with_args(specific-file-name-source-within…zip-file) by source

or
definition: search index=… sourcetype=… $in_source$ | series of search | stats perc50(X) dc(Y) values(Z) by source

after run with source=specific-file-name-source args like this :
perSITEinfo_with_args(source=specific-file-name-within…zip-file)

0 Karma
Reply

tac24
New Member
‎02-26-2016 05:00 PM

Hi, fdi01, thanks for your answer.
I tried your two solutions, unfortunately, they did not work.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...