Knowledge Management

Debugging a search ran from python script

Contributor

Hi!

I have a complex search that uses macro, when running it in splunkweb it works fine, but when running it from the python (fillsummaryindex.py), the search isn't even parsed, and I have the error:

[EventsViewer module] Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

I would like to know how to debug more specifically the search (which equal is responsible for the parsing failure), and maybe why it can work when run in the web browser, but not from the script.

Here is the search (name MY_SEARCH):

index=INDEX action=AAA s=*
| join userId s [search index=INDEX action=BBB earliest=`MY_MACRO(MY_SEARCH, 20)`] 
| join userId type=outer [search index=INDEX action=BBB earliest=`M_MACRO(MY_SEARCH, 48)` latest=`MY_MACRO(MY_SEARCH, 20)` | stats max(_time) as time by userId | eval r=1]
| fillnull r
| table v userId s r
| dedup v userId r
| eval rU=if(r==1, userId, null)
| sistats dc(userId) as total dc(rU) as r by v

Here is the macro (name MY_MACRO), it is used to compute the scheduled time of the search, independently from when I run it (it takes as parameter the name of the search and get the first occurrence of it in the job list).

[| rest /services/search/jobs 
| search label="$arg1$" 
| head 1 
| eval earliest=substr(earliestTime, 1, 19)
| eval earliest=strptime(earliest,"%Y-%m-%dT%H:%M:%S")
| eval earliest=earliest-$arg2$*3600
| eval earliest=round(earliest, 0)
| return $earliest]

I think It may be a bit overkill, but I couldn't figure how to do it more easily.

Guilhem

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I think I spotted the issue. In your macro, you are returning "$earliest". Try returning "earliest".

View solution in original post

SplunkTrust
SplunkTrust

I think I spotted the issue. In your macro, you are returning "$earliest". Try returning "earliest".

View solution in original post

SplunkTrust
SplunkTrust

I do believe that the $ is special within macros. I'd wager that is correct.

0 Karma

Contributor

OK, thank you very much.

Indeed when using the web app, you can use return $whatever, it will then return the right part of the field, BUT when used in macro it doesn't work... I have switched and now use a macro for earliest and a macro for latest, and it does indeed work.

On a side note, why is it that way? Why is the return $something not working inside a macro?

EDIT: I suppose the $ sign indicates that the macro should wait for an argument after and thus mess up the end of the search. My guess.

0 Karma

Contributor

[fthourfromsearchstart(2)]
args = arg1, arg2
definition = [| rest /services/search/jobs | search label="$arg1$" | head 1 | eval earliest=substr(earliestTime, 1, 19)| eval earliest=strptime(earliest,"%Y-%m-%dT%H:%M:%S")| eval earliest=earliest-$arg2$*3600| eval earliest=round(earliest, 0)| return $earliest]
iseval = 0

Here it is extracted from macros.conf from the /etc/apps/my_app/local folder, is it what you asked?

0 Karma

SplunkTrust
SplunkTrust

Can you provide the macro definition with stanza?

0 Karma