Splunk Search
Highlighted

How to create a new field using macros?

Path Finder

I am trying to add a new field in my events using eval, but I am getting errors.
My search looks like this:

... | eval newField=`getIpBasedOnMac($mac$)` | chart values(field1) over newField by mac

Any suggestions on how I could create newField and give it the value that the macro returns?

Tags (2)
0 Karma
Highlighted

Re: How to create a new field using macros?

Champion

Does $mac$ come from some input, i.e. is it a token, or why did you enclose it in dollar signs?
Otherwise, the dollar signs are needed only in the definition of the macro. If mac exists as a field, you can just call your macro with the plain field name as its argument.
Also, what does your macro look like?

0 Karma
Highlighted

Re: How to create a new field using macros?

Path Finder

No, mac is just a field that I want to pass as argument. I tried without the $ sign, but still get the same error.
If I call the macro without the eval, i.e:
sourcetype=xmlConfig findIpBasedOnMac(00000001)
I get ip="190.000.000.00"

The problem is that I want to assign that value as a new field in my events. IS there any way to do that?

0 Karma
Highlighted

Re: How to create a new field using macros?

Champion

Probably 🙂 What does your macro definition look like? It has to be of the form you would usually place after the =-sign of your eval.

0 Karma
Highlighted

Re: How to create a new field using macros?

Path Finder

This is the macro:

sourcetype=xmlConfig | rename switch.ipv4address as ip | search MAC=$mac$ | return ip

0 Karma
Highlighted

Re: How to create a new field using macros?

Champion

Your rex probably got corrupted while posting it, you need to post it as code. But still, that looks like the problem. As sowings (and I also) mentioned, your macro definition must be what you would usually put after the =-sign of your eval. A macro is basically text replacement.

0 Karma
Highlighted

Re: How to create a new field using macros?

Path Finder

Actually, I just realized that I do not even need that rex to retrieve the ip field.

Anyway, how could I return only the value of the ip field instead of "ip=..." in my macro? Should I use rex for that as well? I am fairly new to Splunk, so I have no idea of what are my possibilities. Thanks!

0 Karma
Highlighted

Re: How to create a new field using macros?

Champion

You should not think of "returning" anything in your macro, only as much as for example if(field=value,1,0) returns something. What just crossed my mind is that you could run your macro almost as it is, but change it so that it contains an eval expression which gives you the field you want, something like

sourcetype=xmlConfig | search MAC=$mac$ | eval ip=switch.ipv4address

You could then use the field "ip" in the search after the macro.

0 Karma
Highlighted

Re: How to create a new field using macros?

Path Finder

I understand what you mean, but the problem is that my main search looks at a different sourcetype, which does not have ip as field. So, this will return absolutely no results. What I try to achieve is to add a new field (ip) and then use it to group the mac addresses. I will try to do some more research and come back with a solution.

0 Karma
Highlighted

Re: How to create a new field using macros?

Champion

The eval in your macro will create the field ip 🙂

0 Karma