Knowledge Management

How to pass multiple values from a search as parameters to a macro so the macro will be run for each value?

akawacz
Path Finder

Hi

I have created a macro with a parameter. Then I have a list/search with 8 values.

How is it possible to pass those values into macro as parameters so that macro will be run 8 times and give appended results?

Thank you

1 Solution

woodcock
Esteemed Legend

First of all, you can call another macro from within a macro. I assume you are asking how to make a macro that can take a variable number of parameters. Directly, you cannot, but you can pass in the value for a field which has encoded inside like this:

... | `mymacro("value1;value2;value3;value4;value5;value6;value7;value8")`

Then inside the macro, use makemv delim=";" to break apart the field into a multi-valued field and then use mvexpand to create separate events on which to operate, perhaps calling another macro.

View solution in original post

0 Karma

woodcock
Esteemed Legend

First of all, you can call another macro from within a macro. I assume you are asking how to make a macro that can take a variable number of parameters. Directly, you cannot, but you can pass in the value for a field which has encoded inside like this:

... | `mymacro("value1;value2;value3;value4;value5;value6;value7;value8")`

Then inside the macro, use makemv delim=";" to break apart the field into a multi-valued field and then use mvexpand to create separate events on which to operate, perhaps calling another macro.

0 Karma

akawacz
Path Finder

This was helpfull however my situation is a bit different

my marcro:
eval FLAG=if(isnull($Parameter$),0,1) | eval TYPE="$Parameter$" | stats sum(FLAG) as COUNT by TYPE, sourcetype, REPORT_TIME

so on my list there are 8 different values. Every value go to the macro into 2 places ($parameter$) and give the result then another value go into 2 places and result and so on.

| mymacro(parameter) |

Is it posible to do that ?

0 Karma

woodcock
Esteemed Legend

I do not understand your term list. Are you saying that parameter is a multi-valued field with 8 values? Maybe you should give example data (with fields).

0 Karma

akawacz
Path Finder

I want to get my list from search if possible. It will be 8 column names. If not I can maybe use CSV file and use inputlookup command

Then I want to add one column name at the time run a macro then add another and run a macro. At the end result will be comined.

example data:
Name
ID
ect

hope this help

0 Karma

woodcock
Esteemed Legend

OK, then! That is different. Try this:

... | foreach * [`mymacro(<<FIELD>>)`]
0 Karma

yvassilyeva
Path Finder

@woodcock 

when you are saying 

| foreach * [`mymacro(<<FIELD>>)`]

what is the value of a * ? I am tryin gto use macro twice in my search, but not working 

Tags (1)
0 Karma

akawacz
Path Finder

I think with your hint I am closer to solution however I have encounter further issues.Results are not combined into one. It is showing last result

It looks that my macro does not work properly.
eval FLAG=if(isnull($Parameter$),0,1) | eval TYPE="$Parameter$" | stats sum(FLAG) as COUNT by TYPE, sourcetype, REPORT_TIME

Once I am testing without macro and put brackets ] after second
eval expression - i have got result for one filed. Once I put them at the end I got error message.
...... | foreach IM_* [eval FLAG=if(isnull(<>),0,1)]|stats sum(ERR_FLAG) as ERR_COUNT by sourcetype, REPORT_PERIOD

Foreach can not deal with Text.

0 Karma

woodcock
Esteemed Legend

I see that you asked another question related to this and I am as confused on that one as I am on this one. We are working too much on a particular solution path without understanding the entire problem. Let's back ALL THE WAY UP and get a firm foundation. Show a minimal sample data set and then show a mock-up of the desired output. I am sure we will be able to help you.

0 Karma

akawacz
Path Finder

Hello,
Thank you for helping me here
As you probably see I have managed to solve my issue in a bit different way (second my question ) but here I wanted use a macro for that.

So basically I wanted check how many values are populated in the filed for couple of different columns.

E.g. Column ASSIGNEE for some different months have different counts for populated filed
Sep- 100 Nov -200 vs all events is 1000. So Sep- is 10% and Nov 20% of populated values in the filed ASSIGNE

I was going to do a macro which will be populated one column at a time.
E.g. first time ASSIGNE later another column name and so on.
For this reason I have transformed column headers into value
index=test_im | stats dc(IM*) as IM* | transpose| fields column |

Then I was planing use one column put to the macro using FOREACH command

My idea was:

index=test_im | stats dc(IM*) as IM* | transpose| fields column
| foreach * [mymacro(<>)]

Macro: will populate <> with columns (like ASSIGNEE later another coulmn and so on. )At the end result will be combined
my macro:
eval FLAG=if(isnull($Parameter$),0,1) | eval TYPE="$Parameter$" | stats sum(FLAG) as COUNT by TYPE, sourcetype, REPORT_TIME

Sorry for not good expalanation. Just starting with Splunk and want to explore a lot of new commands.

0 Karma

woodcock
Esteemed Legend

Just post your final answer to both questions and then click "Accept" to close them both.

0 Karma

akawacz
Path Finder

I have Accepted second question. Here Macro is still not working for me.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...