Splunk Search

Don't get eval based macros

andersmholmgren
Explorer

I just can't seem to understand how the eval based macros are supposed to work

I wrote a very simple macro

[TEST]
definition = "TEST"
iseval = 1

then a query to test the output

index=_audit | head 1 | eval test1=`TEST`  | eval test2=tostring(`TEST`) | table test*

The output is one column 'test2' with a value of Null

Why is that? Shouldn't the value be "TEST" for both columns? If not why not?

Tags (3)
0 Karma
1 Solution

genthaler
Engager

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

An eval-based macro returns a string, which is substituted into the query. Your macro returns the string TEST, without quotes, so you are getting:

... | eval test1=TEST  | eval test2=tostring(TEST) | ...

In this case, TEST is used as the name of a non-existent variable. You can get what you intended either with @genthaler's answer, or by putting the quotes in the query:

... | eval test1="`TEST`"  | eval test2=tostring("`TEST`") | ...

genthaler
Engager

Hi @gkanapathy,
I just tried it, unfortunately quoted macro invocations don't get invoked.
So instead of "TEST", you end up with the literal string "`TEST`".

0 Karma

genthaler
Engager

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...