Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Don't get eval based macros

andersmholmgren
Explorer
‎12-08-2011 04:59 PM

I just can't seem to understand how the eval based macros are supposed to work

I wrote a very simple macro

[TEST]
definition = "TEST"
iseval = 1

then a query to test the output

index=_audit | head 1 | eval test1=`TEST`  | eval test2=tostring(`TEST`) | table test*

The output is one column 'test2' with a value of Null

Why is that? Shouldn't the value be "TEST" for both columns? If not why not?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

genthaler
Engager
‎12-08-2011 07:10 PM

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-08-2011 10:56 PM

An eval-based macro returns a string, which is substituted into the query. Your macro returns the string TEST, without quotes, so you are getting:

... | eval test1=TEST  | eval test2=tostring(TEST) | ...

In this case, TEST is used as the name of a non-existent variable. You can get what you intended either with @genthaler's answer, or by putting the quotes in the query:

... | eval test1="`TEST`"  | eval test2=tostring("`TEST`") | ...
Reply
Solved! Jump to solution

genthaler
Engager
‎12-09-2011 05:37 AM

Hi @gkanapathy,
I just tried it, unfortunately quoted macro invocations don't get invoked.
So instead of "TEST", you end up with the literal string "`TEST`".

0 Karma
Reply
Solved! Jump to solution
Solution

genthaler
Engager
‎12-08-2011 07:10 PM

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...