Knowledge Management
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

macro question - how to use the macro search results to another search?

crt89
Communicator
‎11-07-2013 10:03 PM

Good day fellow Splunkers,

I'm new to this macro in Splunk and I want to ask if this could be possible.

I have 3 monitored folders, I want to start my search to just get the latest source of this 3 folders. So I was thinking can I do a macro search to first filter my sources. 1 for each directory. So I will only have 3 sources to search for my search string.

The problem is I dont know how to configure the macro to pass the results of the macro search to a variable that I will be using for my search.

my sample macro would be:

host=host1 | stats latest(source) as host1_source_latest
(same for the other 2 directory)

then my search would be source=[the results of the macro] | [my search string]

This is what I'm planning to do, if there would be other approach it would be much appreciated.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 12:18 AM

You can use macros in subsearches as you normally would in non-sub-searches. For example, if you have this search

my search string [search host=host1 | head 1 | fields source]

where the subsearch will be evaluated to source=foo, you can replace the inner contents of the subsearch with a call to a macro. It could then look something like this:

my search string [`macro`]

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 12:18 AM

You can use macros in subsearches as you normally would in non-sub-searches. For example, if you have this search

my search string [search host=host1 | head 1 | fields source]

where the subsearch will be evaluated to source=foo, you can replace the inner contents of the subsearch with a call to a macro. It could then look something like this:

my search string [`macro`]
Reply
Solved! Jump to solution

crt89
Communicator
‎11-08-2013 01:53 AM

edit: forgot to change query strings. solved now. Thanks again

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 01:01 AM

Note, I have modified the subsearch - should be a much faster way to grab the latest source.

0 Karma
Reply
Solved! Jump to solution

crt89
Communicator
‎11-08-2013 12:50 AM

I have tried it and it works. Thank its a nice start for me to make use of macros.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top