Knowledge Management

How to run a macro multiple times in a search?

mjm_bhatiarahul
New Member

Hello,

I am trying to run a macro multiple times in a search. If the search returns 10 results, the macro should run 10 times. Is there a way to achieve this?

I don't want to use 'map' command for this. The macro contains simple lookup statements that I want to execute in my search. Depending on how many search results are returned, the macro will run those many times and execute the lookup statements.

Thanks

0 Karma
1 Solution

David_Naylor
Path Finder

Hello

Give this a go

| foreach result [macro_name_here]

I successfully tested this methodology in my test environment by running the following (after changing the macro's permission)

index=_internal |head 10 | foreach result [dmc_get_core_info]

As expected this gave me a core_info field in each event

Goodluck! -David

View solution in original post

0 Karma

David_Naylor
Path Finder

Hello

Give this a go

| foreach result [macro_name_here]

I successfully tested this methodology in my test environment by running the following (after changing the macro's permission)

index=_internal |head 10 | foreach result [dmc_get_core_info]

As expected this gave me a core_info field in each event

Goodluck! -David

0 Karma

yvassilyeva
Path Finder

@David_Naylor 

in the command, what field are you using for ‘result’?

And is dmc_get_core_info the name of your macro?

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@yvassilyeva I think you'll find that this is a confusing answer, as you don't actually need a foreach command, as the macro will run for all events anyway. 

0 Karma

yvassilyeva
Path Finder

So if i have macro called BusinessDaysMacro and the field that it produces is called BusinessDays, i could run it with different fields )like below)  for different business days calculation, and how do i get different results where the first time i run it it will give me output called BusinessDays, what about the second time i run it with different fields?

| `BusinessDaysMacro(field1,field2, 00, 24)` 
| `BusinessDaysMacro(field3,field4, 00, 24)` 

 

Thank you for your input @bowesmana 

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Good idea to ask a new question on a separate thread, but if you run a macro twice that makes a fixed field name each time, then it will overwrite it on the second call.

You can do several things to change this, e.g. add a new parameter that is the field name you want it to create on the macro run

Or rename the output field after the first call

yvassilyeva
Path Finder

@bowesmana exactly what i did - renamed macro output fields after each time i run it. Thank you.

0 Karma

mjm_bhatiarahul
New Member

Thanks David... I was not aware that 'foreach' could be used like this to run for each search result.

The only thing I am missing now is the ability to pass field values to the macro. I have gone through a few threads and it seems it is not possible to pass the values as arguments to a macro.

But thanks for pointing this out with 'foreach'!

0 Karma

somesoni2
Revered Legend

What lookup command is run in the macro?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...