Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calling an eval-macro

ignacm01
New Member
‎02-21-2020 07:42 AM

Hi All, I can't put an eval before my search syntax so I am trying to use an eval-Macro called "FriendlyEval"
However, I can't seem to find a way to call it!

The macro

| eval Friendly=$Friend$
| lookup Friendly_Name.csv Friendly OUTPUT FullHost
| lookup Friendly_Name.csv Friendly OUTPUT FullHostHSB

The Search

eventtype=eop_WinEventLog:Application

FriendlyEval - where I need to call the macro

host IN (FullHost, FullHostHSB) Message="OMIS $omis01$" OR TaskCategory="omis $omis01$"
Type IN ($Type01$)

| table _time host TaskCategory Type EventCode Message
| sort - _time

0 Karma
Reply

wmyersas
Builder
‎02-21-2020 10:48 AM

First, you don't need two calls to your lookup - you can do this:

| lookup Friendly_Name.csv Friendly OUTPUT FullHost FullHostHSB

Secondly, what prevents you from doing this:

eventtype=eop_WinEventLog:Application `FriendlyEval`
| <rest of your search>
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2020 10:46 AM

When using a macro, the expanded macro definition has to make sense (like you had written the query using the definition instead of the macro). In your example,

eventtype=eop_WinEventLog:Application
| eval Friendly=$Friend$
| lookup Friendly_Name.csv Friendly OUTPUT FullHost
| lookup Friendly_Name.csv Friendly OUTPUT FullHostHSB
host IN (FullHost, FullHostHSB) Message="OMIS $omis01$" OR TaskCategory="omis $omis01$"
Type IN ($Type01$)

| table _time host TaskCategory Type EventCode Message
| sort - _time

Doesn't work because 'host IN...' is out of place. Try this:

eventtype=eop_WinEventLog:Application

`FriendlyEval`

| where (host IN (FullHost, FullHostHSB) Message="OMIS $omis01$" OR TaskCategory="omis $omis01$"
AND Type IN ($Type01$))
| table _time host TaskCategory Type EventCode Message
| sort - _time
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...