Splunk Search

Can you help me use a macro in an eval statement and IN operator?

New Member

We're trying to use a single macro in two different contexts — an "eval" command and "IN()" operator. We can't seem to find the syntax that will allow the same macro to work in both.

| eval index=`_index_list_all`
|makemv delim="," index
| search index IN(`index_list_all`) 

"one,two,three" - Works in eval but not in IN
one,two,three - Works in IN but not in eval (just a comma delimited list no outer quotes)

Help is greatly appreciated.


Tags (2)
0 Karma

Esteemed Legend

These are 2 different syntax requirements so it is not possible because of how " is used:

... | eval index="one, two, three"


... | search index IN("one", "two", "three")
0 Karma


Both functions requires data in different format, so this may not be possible.

0 Karma