Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass field values as macro arguments?

andra_pietraru
Path Finder
‎04-23-2015 06:02 AM

Hi,

I am trying to pass a field as an argument for a macro that I have defined, but it's not working.
My macro looks like:

[search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | head 1]

My query is:

sourcetype=type2|eval newField=`newMacro(field3)`|table newField,field3

If I pass a value (e.g: newMacro(0001)) it works. Can someone tell me how to pass field3 as an argument?
Thanks!

Tags (2)
Reply

darljedmatundan
Observer
‎02-27-2024 09:02 PM

I am browsing to look for a solution to this issue and eventually accidentally found a solution myself. Try if this will work for you. 

search sourcetype=type1 field1='$arg1$' | rename field2 as query | fields query | eval newField=query

 Single quotes will return the value of the field in an eval expression.

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 06:57 AM

Your eval should be in the macro, so you'd just call it and pass it field3. i.e.:

 sourcetype=type2|`newMacro(field3)`|table newField,field3

Let me know if you need help with the macro itself.

Reply

wbcem
Explorer
‎01-17-2017 10:34 AM

Mason - I'm trying to replicate your code so that I can pass a field into a macro instead of a string, something that I really need to do to get around an data import issue that I have no immediate control over.

I'm using the same syntax you had suggested, newmacro(field3). However, The name of the field is getting passed into the macro as a string instead the value of the field. I do not have quotes around the field.

Got any suggestions?

Reply

bwlm
Path Finder
‎03-23-2020 02:20 PM

I am trying to figure out the same issue as well...

0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 07:12 AM

I would like to get an idea for the macro as well.
Now the macro I have looks like:

search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query

Thanks!

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 08:39 AM

Try changing it to 

appendcols [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]

or

append [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]
0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 11:46 PM

I tried both. The first one gives error :"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)".
The second one doesn't give error. But the newField column is empty. Any ideas why? Could it be because I have two different sourcetypes?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...