Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

macro question - how to use the macro search results to another search?

crt89
Communicator
‎11-07-2013 10:03 PM

Good day fellow Splunkers,

I'm new to this macro in Splunk and I want to ask if this could be possible.

I have 3 monitored folders, I want to start my search to just get the latest source of this 3 folders. So I was thinking can I do a macro search to first filter my sources. 1 for each directory. So I will only have 3 sources to search for my search string.

The problem is I dont know how to configure the macro to pass the results of the macro search to a variable that I will be using for my search.

my sample macro would be:

host=host1 | stats latest(source) as host1_source_latest
(same for the other 2 directory)

then my search would be source=[the results of the macro] | [my search string]

This is what I'm planning to do, if there would be other approach it would be much appreciated.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 12:18 AM

You can use macros in subsearches as you normally would in non-sub-searches. For example, if you have this search

my search string [search host=host1 | head 1 | fields source]

where the subsearch will be evaluated to source=foo, you can replace the inner contents of the subsearch with a call to a macro. It could then look something like this:

my search string [`macro`]

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 12:18 AM

You can use macros in subsearches as you normally would in non-sub-searches. For example, if you have this search

my search string [search host=host1 | head 1 | fields source]

where the subsearch will be evaluated to source=foo, you can replace the inner contents of the subsearch with a call to a macro. It could then look something like this:

my search string [`macro`]
Reply
Solved! Jump to solution

crt89
Communicator
‎11-08-2013 01:53 AM

edit: forgot to change query strings. solved now. Thanks again

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 01:01 AM

Note, I have modified the subsearch - should be a much faster way to grab the latest source.

0 Karma
Reply
Solved! Jump to solution

crt89
Communicator
‎11-08-2013 12:50 AM

I have tried it and it works. Thank its a nice start for me to make use of macros.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...