Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: How do I make macro arguments get parsed as fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I make macro arguments get parsed as fields instead of literals?
I am trying to create a macro that will take a field from an existing query. But when I try to call it the macro treats its argument as a literal value rather than the search field value.
Specifically what I am trying to do is to lookup info about a queried machine in Carbon Black.
the macro looks like this
name: reqsensorsearch(1)
sensorsearch query="$sensor_search$"
I tried testing my macro with
|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch(sensor_search)`
but if I do Ctrl+Shift+E (to expand and display), I see this
| makeresults
| eval sensor_search="hostname:<myhost>"
| sensorsearch query="sensor_search"
What do I need to do to make the macro accept the value of the field sensor_search? So I can get it to run as
|sensorsearch query="hostname:<myhost>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your macro definition to this:
eval sensorsearch query="\"" . $sensor_search$ . "\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you mean like this?
| makeresults
| eval sensor_search="hostname:
| eval sensorsearch query="\"" . $sensor_search$ . "\""
in that case, it expands to
| makeresults
| eval sensor_search="hostname:
| eval sensorsearch query="\"" . $sensor_search$ . "\""
and the results come out as
_time sensor_search sensorsearch query
2018-07-02 08:45:03 hostname:
so that just eval's "seansorsearch query" as a value
I also tried removing the second eval, for which sensorsearch command still failed. I should note that if I run sensorsearch directly, it works fine, but if it is run as
| makeresults
| eval sensor_search="hostname:<myhost>"
| sensorsearch query="\"" . $sensor_search$ . "\""
I get back and error message and searchlog shows:
07-02-2018 08:47:42.608 INFO SearchParser - PARSING: | makeresults | eval sensor_search="hostname:" | sensorsearch query="\"" . $sensor_search$ . "\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, no, no. Keep your SPL for testing the way that it is and change the definition of the macro itself to be exactly what is in my solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh. Of course, sorry. But then I still get the same results as when it is inline. That is it just writes the string rather than running the command:
_time sensor_search sensorsearch query
2018-07-02 10:01:43 hostname:wxlpf0v968r "hostname:wxlpf0v968r"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, look, define the macro the way that I showed you and then run this search:
|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch(sensor_search)`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really think that is what I am doing
My macro:
Definition: eval sensorsearch query="\"" . $sensor_search$ . "\""
user eval-based definition: not checked
Arguments: sensor_search
search line:
|makeresults | eval sensor_search="hostname:" | reqsensorsearch(sensor_search)
results:
_time sensor_search sensorsearch query
2018-07-03 08:38:14 hostname:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, let's back all the way up.
I have your original macro defined as reqsensorsearch_bad with:
eval sensorsearch query="$sensor_search$"
The result of this:
|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch_bad(sensor_search)`
is this:
_time sensor_search sensorsearch query
2018-07-03 18:20:01 hostname:<myhost> sensor_search
The result of this:
|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch(sensor_search)`
Is this:
_time sensor_search sensorsearch query
2018-07-03 18:19:03 hostname:<myhost> "hostname:<myhost>"
The bottom line is that macro arguments behave the way that you treat them. If you treat them as string literals, then they will behave that way; if you treat them as field names, then they will behave that way.
Splunk Observability as Code: From Zero to Dashboard
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Shape the Future of Splunk: Join the Product Research Lab!
