Knowledge Management

Can I populate a macro from search results?

poxx82
Engager

Hi,

I am trying to take the results of a search that returns 1000 machines and search for them in an index. Not sure what the best way to accomplish this is...

I was attempting to create tokens with 100 machines in each (MACHINE="A" OR MACHINE="B" OR MACHINE="C") and put them in a macro - $token1$ $token2$ $token3$ ... etc. which would result in 1000 machines listed in the format above to search against an index - index="A" (macro). Is there a better way to create a list from a search and drop it into a macro? Right now the limitation I am running into is the amount of characters in a eval field.

Thanks.

Tags (2)
0 Karma

woodcock
Esteemed Legend

What you are really looking for is a subsearch. Here is a search that generates a list of 100 like you indicated:

| makeresults 
| eval MACHINE=mvrange(1,101)
| rex field=MACHINE mode=sed "s/^/MACHINE/"
| format

Really, though, I would read this list from a lookup and then it would be like this:

| inputlookup YourLookupWithListOfMachinesHere
| format

You could bury this inside of a macro but I really don't see the point. To use one, put it inside of square-brackets to define a subsearch in your main search like this:

index=foo [| inputlookup YourLookupWithListOfMachinesHere]
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

In short, NO.

Macros are evaluated first, before any searching happens.

However, what you are asking for is pretty easy, with at least three different ways you can do it.

First, use a subsearch.

1) Create a search that gets you 1000 MACHINES (only that one field, in a table).
2) Put it in brackets
3) The system will execute the subsearch, return a value that looks like ( ( MACHINE="machine1" ) OR ( MACHINE="machine2" ) OR... )
4) you're done.

index=foo  [ your search that gets 1000 records | table MACHINE ] 

SECOND METHOD -

1) Create a first search that saves the 1000 values for MACHINE to a lookup table
2) create a second search that uses | lookup mytable MACHINE OUTPUT MACHINE as foundme | where isnotnull(foundme)

THere are lots more.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI

You can try it with return command.
like..

index="A" [ search SECOND_SEARCH | return MACHINE]

SECOND_SEARCH is the logic which you want to pass in macro.

Please see return doc for more info.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Return

hardikJsheth
Motivator

Macros are not for this purpose. If I understood the requirement correctly you want to search for list of host from one query and then use this list in another query. Good option would be to use JOIN query or append query.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...