Splunk Search

Don't get eval based macros

andersmholmgren
Explorer

I just can't seem to understand how the eval based macros are supposed to work

I wrote a very simple macro

[TEST]
definition = "TEST"
iseval = 1

then a query to test the output

index=_audit | head 1 | eval test1=`TEST`  | eval test2=tostring(`TEST`) | table test*

The output is one column 'test2' with a value of Null

Why is that? Shouldn't the value be "TEST" for both columns? If not why not?

Tags (3)
0 Karma
1 Solution

genthaler
Engager

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

An eval-based macro returns a string, which is substituted into the query. Your macro returns the string TEST, without quotes, so you are getting:

... | eval test1=TEST  | eval test2=tostring(TEST) | ...

In this case, TEST is used as the name of a non-existent variable. You can get what you intended either with @genthaler's answer, or by putting the quotes in the query:

... | eval test1="`TEST`"  | eval test2=tostring("`TEST`") | ...

genthaler
Engager

Hi @gkanapathy,
I just tried it, unfortunately quoted macro invocations don't get invoked.
So instead of "TEST", you end up with the literal string "`TEST`".

0 Karma

genthaler
Engager

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...