Knowledge Management

Search-macro that takes variable number of arguments

SonnyB
Explorer

(Keywords: varargs macros, dynamically built K=V fields, passing variable number of search-result’s fields’ values to a macro for computation).

How do you build a search-macro that takes a variable number of arguments? I do not know beforehand the exact number of K=V entries that will show up in the events of the search results and I need to pass the values of all such keys to the macro, to do some computation on the vector of values. Thus, I cannot define a macro signature that takes any fixed number of arguments. Can someone shed some light on the subject-matter? Any pointers to an example will be appreciated.

steveyz
Splunk Employee
Splunk Employee

Unfortunately this is not possible. Macros in most languages cannot take a variable number of arguments because the macro expansion is done as a pre-processing step, before there is any knowledge of the data.

vanvan
Path Finder

Old topic, but if someone experiences the same issue ... it will depend a lot on the content of the macro and the overall implementation, but for me the solution was to configure the macro to accept a single argument and in the SPL where I use the macro I enclose the arguments with double quotes.

E.g. I had a macro used in dashboard, the arguments for the macro were taken from a multiselect input field on the dashboard. The input field creates a token $multipleValuesSeparatedByComma$ which I passed to the macro (the user can select one or more items in the field, thus passing one or more arguments to the macro):

 

myMacro($multipleValuesSeparatedByComma$)

 

This didn't work very well in the SPL contained in the macro when the user selected more than one value in the field. I then tried to add double quotes around the token and this SOLVED the problem, i.e.:

 

myMacro("$multipleValuesSeparatedByComma$")

 

Now the users can select single, double or multiple values and the underlying SPL understands it correctly and returns the right results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...