Knowledge Management

How to pass multiple values from a search as parameters to a macro so the macro will be run for each value?

akawacz
Path Finder

Hi

I have created a macro with a parameter. Then I have a list/search with 8 values.

How is it possible to pass those values into macro as parameters so that macro will be run 8 times and give appended results?

Thank you

1 Solution

woodcock
Esteemed Legend

First of all, you can call another macro from within a macro. I assume you are asking how to make a macro that can take a variable number of parameters. Directly, you cannot, but you can pass in the value for a field which has encoded inside like this:

... | `mymacro("value1;value2;value3;value4;value5;value6;value7;value8")`

Then inside the macro, use makemv delim=";" to break apart the field into a multi-valued field and then use mvexpand to create separate events on which to operate, perhaps calling another macro.

View solution in original post

0 Karma

woodcock
Esteemed Legend

First of all, you can call another macro from within a macro. I assume you are asking how to make a macro that can take a variable number of parameters. Directly, you cannot, but you can pass in the value for a field which has encoded inside like this:

... | `mymacro("value1;value2;value3;value4;value5;value6;value7;value8")`

Then inside the macro, use makemv delim=";" to break apart the field into a multi-valued field and then use mvexpand to create separate events on which to operate, perhaps calling another macro.

0 Karma

akawacz
Path Finder

This was helpfull however my situation is a bit different

my marcro:
eval FLAG=if(isnull($Parameter$),0,1) | eval TYPE="$Parameter$" | stats sum(FLAG) as COUNT by TYPE, sourcetype, REPORT_TIME

so on my list there are 8 different values. Every value go to the macro into 2 places ($parameter$) and give the result then another value go into 2 places and result and so on.

| mymacro(parameter) |

Is it posible to do that ?

0 Karma

woodcock
Esteemed Legend

I do not understand your term list. Are you saying that parameter is a multi-valued field with 8 values? Maybe you should give example data (with fields).

0 Karma

akawacz
Path Finder

I want to get my list from search if possible. It will be 8 column names. If not I can maybe use CSV file and use inputlookup command

Then I want to add one column name at the time run a macro then add another and run a macro. At the end result will be comined.

example data:
Name
ID
ect

hope this help

0 Karma

woodcock
Esteemed Legend

OK, then! That is different. Try this:

... | foreach * [`mymacro(<<FIELD>>)`]
0 Karma

yvassilyeva
Path Finder

@woodcock 

when you are saying 

| foreach * [`mymacro(<<FIELD>>)`]

what is the value of a * ? I am tryin gto use macro twice in my search, but not working 

Tags (1)
0 Karma

akawacz
Path Finder

I think with your hint I am closer to solution however I have encounter further issues.Results are not combined into one. It is showing last result

It looks that my macro does not work properly.
eval FLAG=if(isnull($Parameter$),0,1) | eval TYPE="$Parameter$" | stats sum(FLAG) as COUNT by TYPE, sourcetype, REPORT_TIME

Once I am testing without macro and put brackets ] after second
eval expression - i have got result for one filed. Once I put them at the end I got error message.
...... | foreach IM_* [eval FLAG=if(isnull(<>),0,1)]|stats sum(ERR_FLAG) as ERR_COUNT by sourcetype, REPORT_PERIOD

Foreach can not deal with Text.

0 Karma

woodcock
Esteemed Legend

I see that you asked another question related to this and I am as confused on that one as I am on this one. We are working too much on a particular solution path without understanding the entire problem. Let's back ALL THE WAY UP and get a firm foundation. Show a minimal sample data set and then show a mock-up of the desired output. I am sure we will be able to help you.

0 Karma

akawacz
Path Finder

Hello,
Thank you for helping me here
As you probably see I have managed to solve my issue in a bit different way (second my question ) but here I wanted use a macro for that.

So basically I wanted check how many values are populated in the filed for couple of different columns.

E.g. Column ASSIGNEE for some different months have different counts for populated filed
Sep- 100 Nov -200 vs all events is 1000. So Sep- is 10% and Nov 20% of populated values in the filed ASSIGNE

I was going to do a macro which will be populated one column at a time.
E.g. first time ASSIGNE later another column name and so on.
For this reason I have transformed column headers into value
index=test_im | stats dc(IM*) as IM* | transpose| fields column |

Then I was planing use one column put to the macro using FOREACH command

My idea was:

index=test_im | stats dc(IM*) as IM* | transpose| fields column
| foreach * [mymacro(<>)]

Macro: will populate <> with columns (like ASSIGNEE later another coulmn and so on. )At the end result will be combined
my macro:
eval FLAG=if(isnull($Parameter$),0,1) | eval TYPE="$Parameter$" | stats sum(FLAG) as COUNT by TYPE, sourcetype, REPORT_TIME

Sorry for not good expalanation. Just starting with Splunk and want to explore a lot of new commands.

0 Karma

woodcock
Esteemed Legend

Just post your final answer to both questions and then click "Accept" to close them both.

0 Karma

akawacz
Path Finder

I have Accepted second question. Here Macro is still not working for me.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...