Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me use a macro in an eval statement and IN operator?

lospinoj2
New Member
‎03-29-2019 05:29 AM

We're trying to use a single macro in two different contexts — an "eval" command and "IN()" operator. We can't seem to find the syntax that will allow the same macro to work in both.

| eval index=`_index_list_all`
|makemv delim="," index
| search index IN(`index_list_all`)

"one,two,three" - Works in eval but not in IN
one,two,three - Works in IN but not in eval (just a comma delimited list no outer quotes)

Help is greatly appreciated.

Jeff

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 10:46 PM

These are 2 different syntax requirements so it is not possible because of how " is used:

... | eval index="one, two, three"

vs.

... | search index IN("one", "two", "three")
0 Karma
Reply

somesoni2
Revered Legend
‎03-29-2019 09:02 AM

Both functions requires data in different format, so this may not be possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...