Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I pass a variable to a macro in a saved search?

jks_at_senscons
New Member
‎01-14-2019 10:41 PM

I want to pass a variable to a savedsearch using this method:

| savedsearch mySavedSearch1 inputParam1="value1"

Within "mySavedSearch1" I have a macro where I want to use the value of inputParam1:

|`myMacro1($inputParam1$)`

"myMacro1" contains the following

| tstats count where `indexes_$inputParam1$` by host

When I try to save mySavedSearch1 I get the following error:

Error in 'SearchParser': The name
'indexes_$inputParam1$' is invalid. Macro
and argument names may only include
alphanumerics, '_' and '-'.

The example is highly stripped and myMacro1 contains much more. The reason behind this setup is to be able to reuse myMacro1 both in reports and dashboards.

To me it seems like I am not able to turn the input parameter "inputParam1" into a value in mySavedSearch1.
Anyone who can help me out?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎01-15-2019 12:54 AM

The error is about this part: 

| tstats count where `indexes_$inputParam1$` by host

Specifically that macro reference. Apparently, you're not allowed to use a token like that to have a dynamic macro reference. Can't you define that indexes_... macro such that it takes the token as input, rather than using it as part of the macro name? So you can do | tstats count whereindexes($inputParam1$)`.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎01-15-2019 12:54 AM

The error is about this part: 

| tstats count where `indexes_$inputParam1$` by host

Specifically that macro reference. Apparently, you're not allowed to use a token like that to have a dynamic macro reference. Can't you define that indexes_... macro such that it takes the token as input, rather than using it as part of the macro name? So you can do | tstats count whereindexes($inputParam1$)`.

0 Karma
Reply
Solved! Jump to solution

jks_at_senscons
New Member
‎01-15-2019 03:47 AM

Thanks alot, FrankVI!
I did it the way you recommended and it worked.
I lost the option of chosing macros dynamically, but will try to fix that in another fashion. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...