Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass field values as macro arguments?

andra_pietraru
Path Finder
‎04-23-2015 06:02 AM

Hi,

I am trying to pass a field as an argument for a macro that I have defined, but it's not working.
My macro looks like:

[search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | head 1]

My query is:

sourcetype=type2|eval newField=`newMacro(field3)`|table newField,field3

If I pass a value (e.g: newMacro(0001)) it works. Can someone tell me how to pass field3 as an argument?
Thanks!

Tags (2)
Reply

darljedmatundan
Observer
‎02-27-2024 09:02 PM

I am browsing to look for a solution to this issue and eventually accidentally found a solution myself. Try if this will work for you. 

search sourcetype=type1 field1='$arg1$' | rename field2 as query | fields query | eval newField=query

 Single quotes will return the value of the field in an eval expression.

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 06:57 AM

Your eval should be in the macro, so you'd just call it and pass it field3. i.e.:

 sourcetype=type2|`newMacro(field3)`|table newField,field3

Let me know if you need help with the macro itself.

Reply

wbcem
Explorer
‎01-17-2017 10:34 AM

Mason - I'm trying to replicate your code so that I can pass a field into a macro instead of a string, something that I really need to do to get around an data import issue that I have no immediate control over.

I'm using the same syntax you had suggested, newmacro(field3). However, The name of the field is getting passed into the macro as a string instead the value of the field. I do not have quotes around the field.

Got any suggestions?

Reply

bwlm
Path Finder
‎03-23-2020 02:20 PM

I am trying to figure out the same issue as well...

0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 07:12 AM

I would like to get an idea for the macro as well.
Now the macro I have looks like:

search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query

Thanks!

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 08:39 AM

Try changing it to 

appendcols [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]

or

append [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]
0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 11:46 PM

I tried both. The first one gives error :"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)".
The second one doesn't give error. But the newField column is empty. Any ideas why? Could it be because I have two different sourcetypes?

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top