Knowledge Management

How to string compare field values in an eval macro?

d389133
Explorer

I'm working on a search to gather events from similar time periods over several weeks (ie: Mondays between 14:00 and 14:30)
It's easy enough to do using eval statements after my initial search, but I'm trying to optimise by using eval macros in my search.

In this case, I'm testing if the even is on the same weekday as the current day (ie: select all events that occurred on a Monday).

Using normal evals I can do this:

|sourcetype=*
| eval filter=if(date_wday==lower(strftime(time(),"%A")),date_wday,"drop")
| where date_wday=filter

So converted to an eval macro, I've done this:

if("$day$"==lower(strftime(time(),"%A")),"\"$day$\"","\"drop\"")

However, this returns false when I pass in a field, and no events are kept:

sourcetype=*  date_wday=`FilterDay(date_wday)`

Calling with a hardcoded string as the parameter does work (although its a little pointless):

sourcetype=*  date_wday=`FilterDay("tuesday")`

I've tried every combination of quotes/escapes/tostring I can think of in the macro, and nothing has worked,, any suggestions?

Note: The macro has been created in the webgui, and looks like this:
alt text

EDIT
Something is really weird with how the macro treats the field I pass in.
If I change the macro to this:

if("$day$"=="date_wday","$day$","\"drop\"")

It evaluates to true (meaning there here "$day$" evaluates to the field name, not the field value) BUT what is returned is the value of date_wday (ie: wednesday, meaning that here "$day$" evaluates to the field value.)

What the hell is causing the same expression to evaluate differently? How do I get the field value to be used in the if statement (I've also tried every other comparison function with the same results)

EDIT AGAIN
I was actually wrong, it never uses the value of $day$ inside the macro. Even the return actually returns date_wday as an unquoted string, which gets parsed as the field by the search when it returns, so doing date_wday=FilterDay(date_wday) evaluates to date_wday=date_wday, and is always true.
My question still stands, how can I get the macro to test the value of date_wday?

1 Solution

ruman_splunk
Splunk Employee
Splunk Employee

It is impossible to pass fields to eval macros.

Macro expansion happens before the search is parsed. At macro expansion time, there are no fields! Let alone values assigned to fields. The search has not happened yet.

To work around this, replace the eval macro with a regular macro that generates an eval.

View solution in original post

0 Karma

ruman_splunk
Splunk Employee
Splunk Employee

It is impossible to pass fields to eval macros.

Macro expansion happens before the search is parsed. At macro expansion time, there are no fields! Let alone values assigned to fields. The search has not happened yet.

To work around this, replace the eval macro with a regular macro that generates an eval.

0 Karma

nagarjuna280
Communicator

place " if(date_wday==lower(strftime(time(),"%A")),date_wday,"drop")" in macro defination and try, I think you don't want ro provide day(like tuesday) manually.

0 Karma

d389133
Explorer

It didn't work for me unfortunately.

The problem seems to be with what "$day$" evaluates to in the left side of the statement.
If I make the macro:

if(true(),"$day$","\"false\"")

Then it returns the value of the field I pass it, but for some reason using "$day$" in the comparison doesn't work.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...