Splunk Search
Highlighted

How to pass earliest / latest parameters to a macro from a map section ?

New Member

Hello everyone,

I'm stuck since many days trying to understand what is preventing Splunk from passing arguments to the macro within the map section.
I have tried many combinations unsuccessfully and couldn't find matching answers in the forum yet.
Please find below a very simplified example of what I'm trying to achieve.
There is a macro with 2 arguments used to build the earliest value in the form of : -(nbofunits)(unit)@(unit).
Thank you for your suggestions and inputs

Let's define a basic macro named: xTestMacro(2)

Arguments: macrovar01,macrovar02
Definition:

index=*
earliest=-$macro_var_01$$macro_var_02$@$macro_var_02$
latest=@d
| table _time

Execute the macro in the search bar:

`xTestMacro(1,"d")`

=> Works great and return the expected results, all events _time values from the last 2 days.

But with the SPL code I'm trying to execute it FAILS:

| makeresults
| eval Field1=1
| eval Field2="d"
| map 
[
search `x_Test_Macro($Field1$,$Field2$)`
]

=> It fails on: Invalid value "-$Field1$$Field2$@$Field2$" for time term 'earliest'

Concern & questions:

I don't understand the underlying cause of the failure.
Does anyone know why this is happening and how to avoid the problem ?
Maybe the Splunk development team could provide a technical explanation.
Is it a limitation specific to fields like earliest / latest ?
In this case, is it documented somewhere ?
The behavior looks odd to me knowing the example hereafter which is close to the above one works fine.

Please find investigations / references hereafter.

The following SPL works fine:

| makeresults
| eval Field1="Laurel"
| eval Field2="Hardy"
| map 
[ 
search index=* earliest=-2d@d latest=@d 
| eval Field3="$Field1$"." & "."$Field2$"
| table _time Field3
]
=

Works great and returns the expected results, meaning that there is no issue with passing the Field1 and Field2 values to the map section and to use it (as long as it is not in the "earliest" field !!!)

More interestingly the following SPL is fine too:

| makeresults
| eval Field1=2
| eval Field2="d"
| map 
search="
search index=* earliest=-$Field1$$Field2$@$Field2$ latest=@d 
| table _time
"

=> With using the search="..." Splunk is able to compute the Fields1 and Field2 to make up the earliest string, but fails as soon as I introduce the [ ] , this is very odd...

0 Karma
Highlighted

Re: How to pass earliest / latest parameters to a macro from a map section ?

Esteemed Legend

It is not valid to use map with subsearch-only syntax. Even though it may appear to work, it actually causes incredible inefficiencies and should never be used. If you use the correct, documented, supported syntax, it works fine:

| makeresults
| eval Field1=1
| eval Field2="d"
| map search="search `x_Test_Macro($Field1$,$Field2$)`"

View solution in original post

0 Karma
Highlighted

Re: How to pass earliest / latest parameters to a macro from a map section ?

New Member

Thank you very much Gregg,
I tried many combinations (much more than what I documented here), scratching my head for days, falling in those "incredible inefficiencies" you mentioned when I was using large set of events.
Wrongly, I was almost always using a main subsearch in the map, thinking the square brackets would provide a "clearer" presentation with no further impact in this context.
Obviously I never tried the exact syntax you mentioned for the macro in the map !
Thank you again for your insight.
éric

0 Karma