Re: Is it possible to pass an event field as an ar...

mnm1987 · ‎01-12-2017

Hello Fellow Splunkers,
This is a question about Macros in Splunk. I was wondering if its even possible to pass field name from Events as arguments to your macro.

For eg: If I have a macro configured to getInfo(info_id,info_time), info_id and info_time would be event fields from an index.
something like index=infologs |getinfo(info_id,info_time)

Thanks.
Mukund

gokadroid · ‎01-12-2017

Yes you can. Have a look here as an example which uses revenue field being passed with another rate value which then get multiplied inside the macro.

Example in its simplest terms:

GoTo Settings»  Advanced search » Search macros » Add new

Update in the sections Name, Definition and Argument respectively as multiplyABC(3), eval dd=$a$*$b$*$c$, a,b,c
Call it as follows:

`multiplyABC(field1,field2,field3)`

mnm1987 · ‎01-17-2017

gokadroid - Thanks for the response, I understand that the above steps are handy when creating a macro with Arguments.

But my requirement was to be able to specify or call the macro in the following way
index="blah" |multiplyABC(field1,field2,field3)
where field1,field2 and field3 are not explicitly hardcoded values, instead they are Fields in the events found for index="blah".

Based on my observation, passing event fields get treated literally instead of interpreting their values, i.e.
the expanded macro search would look as follows

eval dd=field1*field2*field3

Is it possible to pass an event field as an argument to a macro?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases