Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk macro in search string

karthikmalla
Explorer
‎10-30-2017 08:47 PM

I created a Macro with name auth(1), app is ES, argument is src and the definition is 

| from datamodel:"Authentication"."Authentication" | search (src="$src$" OR Authentication.src="$src$" OR dest="$src$" OR Authentication.dest="$src$") | eval username=user_first+" "+user_last | eval phone=if(isnull(user_phone), user_phone2, user_phone) | rename user_managedBy as userid, user_email as email, WorkstationName as workstation | fields username, email, userid, phone, workstation

And I am trying to call this Macro in a ES search as

sourcetype=*someexamplesourcetype* auth(src) and this didn't work

I also tried like
sourcetype=*someexamplesourcetype* auth("10.20.30.40") and this didn't work too
sourcetype=*someexamplesourcetype* auth(1) and this didn't work too

When I try like

sourcetype=*someexamplesourcetype* auth I am getting error message as

Error in 'SearchParser': The search specifies a macro 'auth' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

Note There are backticks in front of auth and auth(src) as you know this will be converted to code format I removed backticks in this question.

I assigned the Macro access to global with read & write for everyone, still the error message appears.

0 Karma
Reply

romanwaldecker
Path Finder
‎09-29-2019 09:31 AM

You forgot to embed the macro into the ` ` characters.
Like this:
`auth(src)`

PS: Yes, I know this is a really delayed answer and the problem most likely has already been solved. Just a help for users having with a similar issue.

0 Karma
Reply

hardikJsheth
Motivator
‎10-31-2017 03:40 AM

Hi @karthikmalla,

I think you need to make it Global and read permission is needed for the macro. I can see one issue with the defination of your macro, you need to remove first "I" from the macro defination.

from datamodel:"Authentication"."Authentication" | search (src="$src$" OR Authentication.src="$src$" OR dest="$src$" OR Authentication.dest="$src$") | eval username=user_first+" "+user_last | eval phone=if(isnull(user_phone), user_phone2, user_phone) | rename user_managedBy as userid, user_email as email, WorkstationName as workstation | fields username, email, userid, phone, workstation
Reply

karthikmalla
Explorer
‎10-31-2017 03:23 PM

Still not working. How should I call the macro in search? Is that like?

sourcetype=* auth("10.20.30.40") and back ticks in the beginning & ending of auth("10.20.30.40"). ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...