pass field value in search as an argument to be us...

hexerino · ‎03-22-2019

Hi,

I am trying to figure out how to pass a field value in the search to a macro which interprets it and does further processing through a lookup table.

I have consulted multiple threads but due to karma cannot link to them. Currently my approach is as follows:

Search

index=my_index my_custom_field="the_value_to_filter_for" | map search="|`my_processing_macro($my_custom_field_)`"

Macro: my_processing_macro(1) (argument defined as name)

lookup my_lookup_table_def $name$ as lookup_table_column1

Lookup table (CSV-format): linked to lookup table definition

lookup_table_column1,lookup_table_column2
value_i_pass_in_macro, value_i_want_returned

So in short, the value I pass in my_custom_field corresponds to a column1 row in the lookup table. Basically column 2 contains the regex or other macro's to expand during processing.

lakshman239 · ‎03-26-2019

The below search should work .. are you seeing any errors? You need $$ and test your macros by using both |yourmacro(1)` pipe and without pipe and adjust

index=my_index my_custom_field="the_value_to_filter_for" | map search=" search `my_processing_macro($my_custom_field$)`"

hexerino · ‎03-28-2019

After long deliberation we decided to adopt a different filtering strategy. This method worked after some alteration. Thank you for your suggestion !

lakshman239 · ‎03-28-2019

Glad it helped. Pls vote to accept the comment/answers and also post your answers for future readers.

pass field value in search as an argument to be used in a macro

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?