Re: How do I make macro arguments get parsed as fi...

MonkeyK · ‎06-29-2018

I am trying to create a macro that will take a field from an existing query. But when I try to call it the macro treats its argument as a literal value rather than the search field value.

Specifically what I am trying to do is to lookup info about a queried machine in Carbon Black.

the macro looks like this

name: reqsensorsearch(1)
sensorsearch query="$sensor_search$"

I tried testing my macro with

|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch(sensor_search)`

but if I do Ctrl+Shift+E (to expand and display), I see this

| makeresults 
| eval sensor_search="hostname:<myhost>" 
| sensorsearch query="sensor_search"

What do I need to do to make the macro accept the value of the field sensor_search? So I can get it to run as

 |sensorsearch query="hostname:<myhost>"

woodcock · ‎06-29-2018

Change your macro definition to this:

 eval sensorsearch query="\"" . $sensor_search$ . "\""

MonkeyK · ‎07-02-2018

do you mean like this?
| makeresults
| eval sensor_search="hostname:"
| eval sensorsearch query="\"" . $sensor_search$ . "\""

in that case, it expands to
| makeresults
| eval sensor_search="hostname:"
| eval sensorsearch query="\"" . $sensor_search$ . "\""

and the results come out as
_time sensor_search sensorsearch query
2018-07-02 08:45:03 hostname: "hostname:"

so that just eval's "seansorsearch query" as a value

I also tried removing the second eval, for which sensorsearch command still failed. I should note that if I run sensorsearch directly, it works fine, but if it is run as

| makeresults 
| eval sensor_search="hostname:<myhost>"
| sensorsearch query="\"" . $sensor_search$ . "\""

I get back and error message and searchlog shows:
07-02-2018 08:47:42.608 INFO SearchParser - PARSING: | makeresults | eval sensor_search="hostname:" | sensorsearch query="\"" . $sensor_search$ . "\""

woodcock · ‎07-02-2018

No, no, no. Keep your SPL for testing the way that it is and change the definition of the macro itself to be exactly what is in my solution.

MonkeyK · ‎07-02-2018

Oh. Of course, sorry. But then I still get the same results as when it is inline. That is it just writes the string rather than running the command:

_time sensor_search sensorsearch query
2018-07-02 10:01:43 hostname:wxlpf0v968r "hostname:wxlpf0v968r"

woodcock · ‎07-02-2018

OK, look, define the macro the way that I showed you and then run this search:

|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch(sensor_search)`

MonkeyK · ‎07-03-2018

I really think that is what I am doing

My macro:
Definition: eval sensorsearch query="\"" . $sensor_search$ . "\""
user eval-based definition: not checked
Arguments: sensor_search

search line:
|makeresults | eval sensor_search="hostname:" | reqsensorsearch(sensor_search)

results:
_time sensor_search sensorsearch query
2018-07-03 08:38:14 hostname: "hostname:"

woodcock · ‎07-03-2018

OK, let's back all the way up.
I have your original macro defined as reqsensorsearch_bad with:

eval sensorsearch query="$sensor_search$"

The result of this:

|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch_bad(sensor_search)`

is this:

_time   sensor_search   sensorsearch query
2018-07-03 18:20:01 hostname:<myhost>   sensor_search

The result of this:

|makeresults | eval sensor_search="hostname:<myhost>" | `reqsensorsearch(sensor_search)`

Is this:

_time   sensor_search   sensorsearch query
2018-07-03 18:19:03 hostname:<myhost>   "hostname:<myhost>"

The bottom line is that macro arguments behave the way that you treat them. If you treat them as string literals, then they will behave that way; if you treat them as field names, then they will behave that way.

How do I make macro arguments get parsed as fields instead of literals?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life