Knowledge Management

Unable to pass field as an argument to my macro

kashnburn
Engager

I'm fairly new to Splunk so I am having a hard time understanding how Splunk passes fields.

My search:
host=HMWVP* source="WMI:Service" Name=Audiosrv State!=Running
|table host Name State
|dedup host
|eval schedule_id = host
|maint_schedule_hours_check($schedule_id$)

My Macro:
[maint_schedule_hours_check(1)]
args = schedule_id
definition = join \
[| inputlookup schedule_hours.csv \
| search schedule_id = $schedule_id$ \
| schedule_local_time($schedule_id$) \
| eval day_of_week =strftime(current_time, "%w") \
| where day_of_week = calendar_day_of_week \
| eval current_date =strftime(current_time, "%m/%d/%y") \
| eval hours_startTime = current_date." ".start_time \
| eval hours_endTime = current_date." ".end_time \
| convert timeformat="%m/%d/%y %H:%M" mktime(*Time) \
| where current_time > hours_startTime \
| where current_time < hours_endTime \
| stats count as schedule_hours_count \
| eval is_maintenance_hours = if(schedule_hours_count>0,"true","false")]
errormsg = When calling ismaintenance_hours input param schedule_id must be provided
iseval = 0
validation = isnotnull($schedule_id$)

Any guidance or suggestions would be greatly appreciated.
Thank you

Labels (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...