Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calling an eval-macro

ignacm01
New Member
‎02-21-2020 07:42 AM

Hi All, I can't put an eval before my search syntax so I am trying to use an eval-Macro called "FriendlyEval"
However, I can't seem to find a way to call it!

The macro

| eval Friendly=$Friend$
| lookup Friendly_Name.csv Friendly OUTPUT FullHost
| lookup Friendly_Name.csv Friendly OUTPUT FullHostHSB

The Search

eventtype=eop_WinEventLog:Application

FriendlyEval - where I need to call the macro

host IN (FullHost, FullHostHSB) Message="OMIS $omis01$" OR TaskCategory="omis $omis01$"
Type IN ($Type01$)

| table _time host TaskCategory Type EventCode Message
| sort - _time

0 Karma
Reply

wmyersas
Builder
‎02-21-2020 10:48 AM

First, you don't need two calls to your lookup - you can do this:

| lookup Friendly_Name.csv Friendly OUTPUT FullHost FullHostHSB

Secondly, what prevents you from doing this:

eventtype=eop_WinEventLog:Application `FriendlyEval`
| <rest of your search>
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2020 10:46 AM

When using a macro, the expanded macro definition has to make sense (like you had written the query using the definition instead of the macro). In your example,

eventtype=eop_WinEventLog:Application
| eval Friendly=$Friend$
| lookup Friendly_Name.csv Friendly OUTPUT FullHost
| lookup Friendly_Name.csv Friendly OUTPUT FullHostHSB
host IN (FullHost, FullHostHSB) Message="OMIS $omis01$" OR TaskCategory="omis $omis01$"
Type IN ($Type01$)

| table _time host TaskCategory Type EventCode Message
| sort - _time

Doesn't work because 'host IN...' is out of place. Try this:

eventtype=eop_WinEventLog:Application

`FriendlyEval`

| where (host IN (FullHost, FullHostHSB) Message="OMIS $omis01$" OR TaskCategory="omis $omis01$"
AND Type IN ($Type01$))
| table _time host TaskCategory Type EventCode Message
| sort - _time
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...