Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass field values as macro arguments?

andra_pietraru
Path Finder
‎04-23-2015 06:02 AM

Hi,

I am trying to pass a field as an argument for a macro that I have defined, but it's not working.
My macro looks like:

[search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | head 1]

My query is:

sourcetype=type2|eval newField=`newMacro(field3)`|table newField,field3

If I pass a value (e.g: newMacro(0001)) it works. Can someone tell me how to pass field3 as an argument?
Thanks!

Tags (2)
Reply

darljedmatundan
Observer
‎02-27-2024 09:02 PM

I am browsing to look for a solution to this issue and eventually accidentally found a solution myself. Try if this will work for you. 

search sourcetype=type1 field1='$arg1$' | rename field2 as query | fields query | eval newField=query

 Single quotes will return the value of the field in an eval expression.

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 06:57 AM

Your eval should be in the macro, so you'd just call it and pass it field3. i.e.:

 sourcetype=type2|`newMacro(field3)`|table newField,field3

Let me know if you need help with the macro itself.

Reply

wbcem
Explorer
‎01-17-2017 10:34 AM

Mason - I'm trying to replicate your code so that I can pass a field into a macro instead of a string, something that I really need to do to get around an data import issue that I have no immediate control over.

I'm using the same syntax you had suggested, newmacro(field3). However, The name of the field is getting passed into the macro as a string instead the value of the field. I do not have quotes around the field.

Got any suggestions?

Reply

bwlm
Path Finder
‎03-23-2020 02:20 PM

I am trying to figure out the same issue as well...

0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 07:12 AM

I would like to get an idea for the macro as well.
Now the macro I have looks like:

search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query

Thanks!

0 Karma
Reply

masonmorales
Influencer
‎04-23-2015 08:39 AM

Try changing it to 

appendcols [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]

or

append [ search sourcetype=type1 field1=$arg1$ | rename field2 as query | fields query | eval newField=query]
0 Karma
Reply

andra_pietraru
Path Finder
‎04-23-2015 11:46 PM

I tried both. The first one gives error :"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)".
The second one doesn't give error. But the newField column is empty. Any ideas why? Could it be because I have two different sourcetypes?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
li.common.scroll-to.top