Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a new field using macros?

andra_pietraru
Path Finder
‎04-21-2015 04:54 AM

I am trying to add a new field in my events using eval, but I am getting errors.
My search looks like this:

... | eval newField=`getIpBasedOnMac($mac$)` | chart values(field1) over newField by mac

Any suggestions on how I could create newField and give it the value that the macro returns?

Tags (2)
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 07:23 AM

Your eval will create the field for this event, in this search.

With the above macro definition, try
... |getIpBasedOnMac(mac) | chart values(field1) over ip by mac

0 Karma
Reply

andra_pietraru
Path Finder
‎04-21-2015 07:39 AM

I tried. No results.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 11:10 PM

With splunk, "no results" is not the same as "doesn't work". Maybe there was no ip for that mac? Have you tried your macro code as an individual search, with the mac entered manually?
Generally, when you put an eval expression in a macro, you can use the field you eval'd after the macro.

0 Karma
Reply

andra_pietraru
Path Finder
‎04-21-2015 11:52 PM

When I try the macro code as a search, I get back the event that has that mac and ip fields in it. So the macro is ok.

I also tried calling the macro in two different ways:
1. sourcetype=xmlConfig|findIpBasedOnMac(0000000001)|table *
AND
2. sourcetype=other|findIpBasedOnMac(0000000001)|table *

The first search gives the event that I want. The second one returns no results.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-22-2015 12:01 AM

Ah. Sorry. Does your base search contain events of the sourcetype that the macro needs? Whether inside a macro or not, the eval that is supposed to deliver the new field needs to see the required data from the base search, as it does not run a subsearch to gather its own data. Maybe all you need to do is adjust your base search to include the xmlConfig sourcetype, such as index=foo sourcetype=other OR sourcetype=xmlConfig | ...

0 Karma
Reply

andra_pietraru
Path Finder
‎04-22-2015 04:53 AM

Do you know how I could pass a field from an outer search to a subsearch? Is that possible?

For example:
sourcetype=1|eval newField=[search sourcetype=2 innerField=outerField|return something|format] ...

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-22-2015 05:00 AM

No, subsearches are run before the main search.

0 Karma
Reply

andra_pietraru
Path Finder
‎04-22-2015 12:09 AM

My base search did not contain the sourcetype needed in the macro. After I add it, I get back one event, the one from the macro. But I don't get anything for the chart.
I will keep trying. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...