Knowledge Management

Macros using data from search

phoenixdigital
Builder

Seems like a pretty simple thing I am trying to do but it wont work.

I have some bitwise data which I want to convert into a string equivalent. So in this example I want to see if bit 0 or bit 1 is set.
Bit0 = This Text
Bit1 = That Text

This search works perfectly

sourcetype=blah | eval desc=if(floor(bitData)%2>0,"This Text, ","") | eval desc=desc+ if(floor(bitData/2)%2>0,"That Text, ","") | table _time, bitData, desc

Now I actually have 16 bitfields and want to reuse this eval chain quite a bit so thought I would make a macro out of it.

However this does not work

Macro definition

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") | eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

This search does not work though

    sourcetype=blah | `myMacro(bitData)` | table _time, bitData, desc

I get the errors

Error in 'SearchParser': Missing a search command before ' '.
Unknown search command 'gen'.

What gives here?

Tags (1)
0 Karma
1 Solution

phoenixdigital
Builder

Finally worked it out. Turns out you cannot have newlines in macros but you can in a search.

So my example above was not entirely correct it should have been.

Working search

sourcetype=blah | 
eval desc=if(floor(bitData)%2>0,"This Text, ","") | 
eval desc=desc+ if(floor(bitData/2)%2>0,"That Text, ","") |
table _time, bitData, desc

Macro that doesn't work

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") |
eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

Macro that does work

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") | eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

I have them all on newlines as there are 16 rows for the entire macro and I wanted it to be readable and easy to edit.

So its a bit inconsistent that newlines are allowed in a search but not in a macro. Should I submit this as a bug?

Thanks to those that tried to assist.

View solution in original post

phoenixdigital
Builder

Finally worked it out. Turns out you cannot have newlines in macros but you can in a search.

So my example above was not entirely correct it should have been.

Working search

sourcetype=blah | 
eval desc=if(floor(bitData)%2>0,"This Text, ","") | 
eval desc=desc+ if(floor(bitData/2)%2>0,"That Text, ","") |
table _time, bitData, desc

Macro that doesn't work

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") |
eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

Macro that does work

eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","") | eval desc=desc+ if(floor($bitField$/2)%2>0,"That Text, ","")

I have them all on newlines as there are 16 rows for the entire macro and I wanted it to be readable and easy to edit.

So its a bit inconsistent that newlines are allowed in a search but not in a macro. Should I submit this as a bug?

Thanks to those that tried to assist.

jonuwz
Influencer

The fields in a macro are named. You need to pass the field into the macro like this :

sourcetype=blah | `myMacro(bitData=bitData)` | table _time, bitData, desc

DalJeanis
SplunkTrust
SplunkTrust

That middle section would be
| myMacro(bitField=bitData)

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

There doesn't appear to be anything wrong with your syntax. Click the blue [i] next to the printer icon on the right of the search bar, after executing your search. Scroll down to eventSearch to see how your macro is being expanded in the search. It's likely a typo.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...