Knowledge Management
Highlighted

Can I populate a macro from search results?

Engager

Hi,

I am trying to take the results of a search that returns 1000 machines and search for them in an index. Not sure what the best way to accomplish this is...

I was attempting to create tokens with 100 machines in each (MACHINE="A" OR MACHINE="B" OR MACHINE="C") and put them in a macro - $token1$ $token2$ $token3$ ... etc. which would result in 1000 machines listed in the format above to search against an index - index="A" (macro). Is there a better way to create a list from a search and drop it into a macro? Right now the limitation I am running into is the amount of characters in a eval field.

Thanks.

Tags (2)
0 Karma
Highlighted

Re: Can I populate a macro from search results?

Motivator

Macros are not for this purpose. If I understood the requirement correctly you want to search for list of host from one query and then use this list in another query. Good option would be to use JOIN query or append query.

0 Karma
Highlighted

Re: Can I populate a macro from search results?

SplunkTrust
SplunkTrust

HI

You can try it with return command.
like..

index="A" [ search SECOND_SEARCH | return MACHINE]

SECOND_SEARCH is the logic which you want to pass in macro.

Please see return doc for more info.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Return

Highlighted

Re: Can I populate a macro from search results?

SplunkTrust
SplunkTrust

In short, NO.

Macros are evaluated first, before any searching happens.

However, what you are asking for is pretty easy, with at least three different ways you can do it.

First, use a subsearch.

1) Create a search that gets you 1000 MACHINES (only that one field, in a table).
2) Put it in brackets
3) The system will execute the subsearch, return a value that looks like ( ( MACHINE="machine1" ) OR ( MACHINE="machine2" ) OR... )
4) you're done.

index=foo  [ your search that gets 1000 records | table MACHINE ] 

SECOND METHOD -

1) Create a first search that saves the 1000 values for MACHINE to a lookup table
2) create a second search that uses | lookup mytable MACHINE OUTPUT MACHINE as foundme | where isnotnull(foundme)

THere are lots more.

0 Karma
Highlighted

Re: Can I populate a macro from search results?

Esteemed Legend

What you are really looking for is a subsearch. Here is a search that generates a list of 100 like you indicated:

| makeresults 
| eval MACHINE=mvrange(1,101)
| rex field=MACHINE mode=sed "s/^/MACHINE/"
| format

Really, though, I would read this list from a lookup and then it would be like this:

| inputlookup YourLookupWithListOfMachinesHere
| format

You could bury this inside of a macro but I really don't see the point. To use one, put it inside of square-brackets to define a subsearch in your main search like this:

index=foo [| inputlookup YourLookupWithListOfMachinesHere]
0 Karma