Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to pass an event field as an argument to a macro?

mnm1987
Explorer
‎01-12-2017 12:43 PM

Hello Fellow Splunkers,
This is a question about Macros in Splunk. I was wondering if its even possible to pass field name from Events as arguments to your macro.

For eg: If I have a macro configured to getInfo(info_id,info_time), info_id and info_time would be event fields from an index.
something like index=infologs |getinfo(info_id,info_time)

Thanks.
Mukund

Tags (2)
0 Karma
Reply

gokadroid
Motivator
‎01-12-2017 03:07 PM

Yes you can. Have a look here as an example which uses revenue field being passed with another rate value which then get multiplied inside the macro.

Example in its simplest terms:

GoTo Settings»  Advanced search » Search macros » Add new

Update in the sections Name, Definition and Argument respectively as multiplyABC(3), eval dd=$a$*$b$*$c$, a,b,c
Call it as follows:

`multiplyABC(field1,field2,field3)`
0 Karma
Reply

mnm1987
Explorer
‎01-17-2017 08:24 AM

gokadroid - Thanks for the response, I understand that the above steps are handy when creating a macro with Arguments.

But my requirement was to be able to specify or call the macro in the following way
index="blah" |multiplyABC(field1,field2,field3)
where field1,field2 and field3 are not explicitly hardcoded values, instead they are Fields in the events found for index="blah".

Based on my observation, passing event fields get treated literally instead of interpreting their values, i.e.
the expanded macro search would look as follows

eval dd=field1*field2*field3

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...