Knowledge Management

Debugging a search ran from python script

guilhem
Contributor

Hi!

I have a complex search that uses macro, when running it in splunkweb it works fine, but when running it from the python (fill_summary_index.py), the search isn't even parsed, and I have the error:

[EventsViewer module] Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

I would like to know how to debug more specifically the search (which equal is responsible for the parsing failure), and maybe why it can work when run in the web browser, but not from the script.

Here is the search (name MY_SEARCH):

index=INDEX action=AAA s=*
| join userId s [search index=INDEX action=BBB earliest=`MY_MACRO(MY_SEARCH, 20)`] 
| join userId type=outer [search index=INDEX action=BBB earliest=`M_MACRO(MY_SEARCH, 48)` latest=`MY_MACRO(MY_SEARCH, 20)` | stats max(_time) as time by userId | eval r=1]
| fillnull r
| table v userId s r
| dedup v userId r
| eval rU=if(r==1, userId, null)
| sistats dc(userId) as total dc(rU) as r by v

Here is the macro (name MY_MACRO), it is used to compute the scheduled time of the search, independently from when I run it (it takes as parameter the name of the search and get the first occurrence of it in the job list).

[| rest /services/search/jobs 
| search label="$arg1$" 
| head 1 
| eval earliest=substr(earliestTime, 1, 19)
| eval earliest=strptime(earliest,"%Y-%m-%dT%H:%M:%S")
| eval earliest=earliest-$arg2$*3600
| eval earliest=round(earliest, 0)
| return $earliest]

I think It may be a bit overkill, but I couldn't figure how to do it more easily.

Guilhem

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

I think I spotted the issue. In your macro, you are returning "$earliest". Try returning "earliest".

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

I think I spotted the issue. In your macro, you are returning "$earliest". Try returning "earliest".

alacercogitatus
SplunkTrust
SplunkTrust

I do believe that the $ is special within macros. I'd wager that is correct.

0 Karma

guilhem
Contributor

OK, thank you very much.

Indeed when using the web app, you can use return $whatever, it will then return the right part of the field, BUT when used in macro it doesn't work... I have switched and now use a macro for earliest and a macro for latest, and it does indeed work.

On a side note, why is it that way? Why is the return $something not working inside a macro?

EDIT: I suppose the $ sign indicates that the macro should wait for an argument after and thus mess up the end of the search. My guess.

0 Karma

guilhem
Contributor

[ft_hour_from_search_start(2)]
args = arg1, arg2
definition = [| rest /services/search/jobs | search label="$arg1$" | head 1 | eval earliest=substr(earliestTime, 1, 19)| eval earliest=strptime(earliest,"%Y-%m-%dT%H:%M:%S")| eval earliest=earliest-$arg2$*3600| eval earliest=round(earliest, 0)| return $earliest]
iseval = 0

Here it is extracted from macros.conf from the /etc/apps/my_app/local folder, is it what you asked?

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Can you provide the macro definition with stanza?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...