Knowledge Management

How to run a macro multiple times in a search?

mjm_bhatiarahul
New Member

Hello,

I am trying to run a macro multiple times in a search. If the search returns 10 results, the macro should run 10 times. Is there a way to achieve this?

I don't want to use 'map' command for this. The macro contains simple lookup statements that I want to execute in my search. Depending on how many search results are returned, the macro will run those many times and execute the lookup statements.

Thanks

0 Karma
1 Solution

David_Naylor
Path Finder

Hello

Give this a go

| foreach result [macro_name_here]

I successfully tested this methodology in my test environment by running the following (after changing the macro's permission)

index=_internal |head 10 | foreach result [dmc_get_core_info]

As expected this gave me a core_info field in each event

Goodluck! -David

View solution in original post

0 Karma

David_Naylor
Path Finder

Hello

Give this a go

| foreach result [macro_name_here]

I successfully tested this methodology in my test environment by running the following (after changing the macro's permission)

index=_internal |head 10 | foreach result [dmc_get_core_info]

As expected this gave me a core_info field in each event

Goodluck! -David

0 Karma

yvassilyeva
Path Finder

@David_Naylor 

in the command, what field are you using for ‘result’?

And is dmc_get_core_info the name of your macro?

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@yvassilyeva I think you'll find that this is a confusing answer, as you don't actually need a foreach command, as the macro will run for all events anyway. 

0 Karma

yvassilyeva
Path Finder

So if i have macro called BusinessDaysMacro and the field that it produces is called BusinessDays, i could run it with different fields )like below)  for different business days calculation, and how do i get different results where the first time i run it it will give me output called BusinessDays, what about the second time i run it with different fields?

| `BusinessDaysMacro(field1,field2, 00, 24)` 
| `BusinessDaysMacro(field3,field4, 00, 24)` 

 

Thank you for your input @bowesmana 

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Good idea to ask a new question on a separate thread, but if you run a macro twice that makes a fixed field name each time, then it will overwrite it on the second call.

You can do several things to change this, e.g. add a new parameter that is the field name you want it to create on the macro run

Or rename the output field after the first call

yvassilyeva
Path Finder

@bowesmana exactly what i did - renamed macro output fields after each time i run it. Thank you.

0 Karma

mjm_bhatiarahul
New Member

Thanks David... I was not aware that 'foreach' could be used like this to run for each search result.

The only thing I am missing now is the ability to pass field values to the macro. I have gone through a few threads and it seems it is not possible to pass the values as arguments to a macro.

But thanks for pointing this out with 'foreach'!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What lookup command is run in the macro?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...