Good day fellow Splunkers,
I'm new to this macro in Splunk and I want to ask if this could be possible.
I have 3 monitored folders, I want to start my search to just get the latest source of this 3 folders. So I was thinking can I do a macro search to first filter my sources. 1 for each directory. So I will only have 3 sources to search for my search string.
The problem is I dont know how to configure the macro to pass the results of the macro search to a variable that I will be using for my search.
my sample macro would be:
host=host1 | stats latest(source) as host1sourcelatest
(same for the other 2 directory)
then my search would be source=[the results of the macro] | [my search string]
This is what I'm planning to do, if there would be other approach it would be much appreciated.
You can use macros in subsearches as you normally would in non-sub-searches. For example, if you have this search
my search string [search host=host1 | head 1 | fields source]
where the subsearch will be evaluated to
source=foo, you can replace the inner contents of the subsearch with a call to a macro. It could then look something like this:
my search string [`macro`]
Note, I have modified the subsearch - should be a much faster way to grab the latest source.