I am trying to add a new field in my events using eval, but I am getting errors.
My search looks like this:
... | eval newField=`getIpBasedOnMac($mac$)` | chart values(field1) over newField by mac
Any suggestions on how I could create
newField and give it the value that the macro returns?
$mac$ come from some input, i.e. is it a token, or why did you enclose it in dollar signs?
Otherwise, the dollar signs are needed only in the definition of the macro. If
mac exists as a field, you can just call your macro with the plain field name as its argument.
Also, what does your macro look like?
No, mac is just a field that I want to pass as argument. I tried without the $ sign, but still get the same error.
If I call the macro without the eval, i.e:
I get ip="190.000.000.00"
The problem is that I want to assign that value as a new field in my events. IS there any way to do that?
Your rex probably got corrupted while posting it, you need to post it as code. But still, that looks like the problem. As sowings (and I also) mentioned, your macro definition must be what you would usually put after the
=-sign of your eval. A macro is basically text replacement.
Actually, I just realized that I do not even need that rex to retrieve the ip field.
Anyway, how could I return only the value of the ip field instead of "ip=..." in my macro? Should I use rex for that as well? I am fairly new to Splunk, so I have no idea of what are my possibilities. Thanks!
You should not think of "returning" anything in your macro, only as much as for example
if(field=value,1,0) returns something. What just crossed my mind is that you could run your macro almost as it is, but change it so that it contains an eval expression which gives you the field you want, something like
sourcetype=xmlConfig | search MAC=$mac$ | eval ip=switch.ipv4address
You could then use the field "ip" in the search after the macro.
I understand what you mean, but the problem is that my main search looks at a different sourcetype, which does not have ip as field. So, this will return absolutely no results. What I try to achieve is to add a new field (ip) and then use it to group the mac addresses. I will try to do some more research and come back with a solution.