Knowledge Management

Insert field value into macro parameter

tcoq
Path Finder

Hi everybody,

I have this search, using a macro called getImageURL(2):

...
table country client artnumber | 
eval sql = if(client==2,[|`getImageURL(2,artnumber )`], sql)

If I type artnumber directly, e.g. "1234", everything is fine.

If I use the artnumber field, the macro does not accept the field value as a parameter. (it is interpreting it as a string)

Does anyone know how to use the field value of "artnumber"?

Best regards in advance
Steffen

0 Karma
1 Solution

tcoq
Path Finder

I found a less complicated solution for my case based on map command:

...
table country client artnumber | 
| map maxsearches=15 search="|`getImageURL(2,$artnumber$)`"

View solution in original post

0 Karma

tcoq
Path Finder

I found a less complicated solution for my case based on map command:

...
table country client artnumber | 
| map maxsearches=15 search="|`getImageURL(2,$artnumber$)`"
0 Karma

santosh_sshanbh
Path Finder

This is not working in my case. How can I pass a field value as a parameter to a macro?

Tags (1)
0 Karma

woodcock
Esteemed Legend

First, fix your macro to handle a list of artnumber values separated by pipe characters. Then do this:

 Your Base Search Here | outputcsv TempFile.csv | where ThisFieldWillNotExist="So this drops all aevents"
| appendpipe [ `getImageURL(2, [|inputcsv TempFile.csv | search client="2" | fields artnumber | | format "(" "" "" "" "|" ")" | rex field=search mode=sed "s/\" | artnumber=\"//g"]` | outputlookup YourLookupDefintionHere | where ThisFieldWillNotExist="So this drops all aevents"]
| appendpipe [ |inputcsv TempFile.csv | lookup YourLookupDefintionHere artnumber OUTPUT sql ]

The first line saves off the base search results and then throws all events away.
The second line uses those same search results to create a lookup file (you may need to adjust some stuff here) and then clears the slate again.
The third line reads in the events one more time and runs them through the lookup file that you just created.

0 Karma

woodcock
Esteemed Legend

The problem is that your macro is embedded inside a (contextually isolated) subsearch. All subsearches run FIRST, before anything else. In this case, that means that the artnumber field name that you are using inside of your macro call doesn't exist because no events from the outer search exist inside of the inner macro. This is absolutely the problem. It is not clear to me why you are using a subsearch (mostly because you have not shared the guts of your macro), but perhaps you can just get rid of the square brackets and not use a subsearch at all.

0 Karma

tcoq
Path Finder

I am using a subsearch, because inside of the macro there is a dbx-query search to a secondary database.(DB-Connect) DBX must be at the beginning of a search and only a subseach allows to put it at the beginning...

0 Karma

somesoni2
Revered Legend

Try to put our whole eval inside macro and then use the macro in your search

Macro definition:   eval sql=if($client$==2,yourcurrentMacroCode,sql)
Params: client, artnumber

your Search

...
 table country client artnumber | `getImageURL(client,artnumber )`
0 Karma

tcoq
Path Finder

It is the same problem like the upper advice. Inside of the macro is a dbx sql-query which must be at the beginning of a search. So I need to do a subsearch...

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...