Splunk Search

Having trouble passing values in a macro to collect command.

ddelmont
Explorer

Splunkers,

I sure hope this is just user error and I am myopic today! 

Have a simple macro:

 

collectevents(2)
args=index_parm,testmode_parm
| addinfo | collect index=$index_parm$ testmode=$testmode_parm$ source=mysource 

 

These both work:

 

`collectevents("Indexname",0)`
`collectecents("Indexname","False")`

 

But these don't work:

 

stuff....
|eval index_parm="Indexname"
|eval testmode_parm=0
`collectevents(index_parm,testmode_parm)`

 

 When ever I pass a variable I get: 

Error in 'SearchProcessor': Invalid option value. Expecting a 'boolean' for option 'testmode'.  Instead got 'testmode_parm'.

It only complains about the testmode, but it's not passing the index_parm string correctly either.   If I don't pass or remove testmode_parm, I stop getting an error but nothing shows up in the index.  Crtl+Shift+E show index=index_parm.  It's like the substitution is just not taking place.

Any ideas?  Thank you.

Labels (1)
Tags (3)
0 Karma
1 Solution

ddelmont
Explorer
0 Karma

ddelmont
Explorer

Thank you Murphy.  Should have posted this sooner.  Found a solution at:

https://community.splunk.com/t5/Knowledge-Management/collect-index-quot-based-on-values-quot/td-p/47... 

Tags (2)
0 Karma

to4kawa
Ultra Champion

is string or number in this case, I guess.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...