Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass field values as macro arguments?

andra_pietraru
Path Finder
‎04-23-2015 06:02 AM

Hi,

I am trying to pass a field as an argument for a macro that I have defined, but it's not working.
My macro looks like:

[search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | head 1]

My query is:

sourcetype=type2|eval newField=`newMacro(field3)`|table newField,field3

If I pass a value (e.g: newMacro(0001)) it works. Can someone tell me how to pass field3 as an argument?
Thanks!

Tags (2)
Reply

darljedmatundan
Observer
‎02-27-2024 09:02 PM

I am browsing to look for a solution to this issue and eventually accidentally found a solution myself. Try if this will work for you. 

search sourcetype=type1 field1='$arg1$' | rename field2 as query | fields query | eval newField=query

 Single quotes will return the value of the field in an eval expression.

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 06:57 AM

Your eval should be in the macro, so you'd just call it and pass it field3. i.e.:

 sourcetype=type2|`newMacro(field3)`|table newField,field3

Let me know if you need help with the macro itself.

Reply

wbcem
Explorer
‎01-17-2017 10:34 AM

Mason - I'm trying to replicate your code so that I can pass a field into a macro instead of a string, something that I really need to do to get around an data import issue that I have no immediate control over.

I'm using the same syntax you had suggested, newmacro(field3). However, The name of the field is getting passed into the macro as a string instead the value of the field. I do not have quotes around the field.

Got any suggestions?

Reply

bwlm
Path Finder
‎03-23-2020 02:20 PM

I am trying to figure out the same issue as well...

0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 07:12 AM

I would like to get an idea for the macro as well.
Now the macro I have looks like:

search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query

Thanks!

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 08:39 AM

Try changing it to 

appendcols [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]

or

append [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]
0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 11:46 PM

I tried both. The first one gives error :"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)".
The second one doesn't give error. But the newField column is empty. Any ideas why? Could it be because I have two different sourcetypes?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...