I'm stuck since many days trying to understand what is preventing Splunk from passing arguments to the macro within the map section.
I have tried many combinations unsuccessfully and couldn't find matching answers in the forum yet.
Please find below a very simplified example of what I'm trying to achieve.
There is a macro with 2 arguments used to build the earliest value in the form of : -(nbofunits)(unit)@(unit).
Thank you for your suggestions and inputs
index=* earliest=-$macro_var_01$$macro_var_02$@$macro_var_02$ latest=@d | table _time
=> Works great and return the expected results, all events _time values from the last 2 days.
| makeresults | eval Field1=1 | eval Field2="d" | map [ search `x_Test_Macro($Field1$,$Field2$)` ]
=> It fails on: Invalid value "-$Field1$$Field2$@$Field2$" for time term 'earliest'
I don't understand the underlying cause of the failure.
Does anyone know why this is happening and how to avoid the problem ?
Maybe the Splunk development team could provide a technical explanation.
Is it a limitation specific to fields like earliest / latest ?
In this case, is it documented somewhere ?
The behavior looks odd to me knowing the example hereafter which is close to the above one works fine.
Please find investigations / references hereafter.
| makeresults | eval Field1="Laurel" | eval Field2="Hardy" | map [ search index=* earliest=-2d@d latest=@d | eval Field3="$Field1$"." & "."$Field2$" | table _time Field3 ] =
Works great and returns the expected results, meaning that there is no issue with passing the Field1 and Field2 values to the map section and to use it (as long as it is not in the "earliest" field !!!)
| makeresults | eval Field1=2 | eval Field2="d" | map search=" search index=* earliest=-$Field1$$Field2$@$Field2$ latest=@d | table _time "
=> With using the search="..." Splunk is able to compute the Fields1 and Field2 to make up the earliest string, but fails as soon as I introduce the [ ] , this is very odd...
It is not valid to use
subsearch-only syntax. Even though it may appear to work, it actually causes incredible inefficiencies and should never be used. If you use the correct, documented, supported syntax, it works fine:
| makeresults | eval Field1=1 | eval Field2="d" | map search="search `x_Test_Macro($Field1$,$Field2$)`"
Thank you very much Gregg,
I tried many combinations (much more than what I documented here), scratching my head for days, falling in those "incredible inefficiencies" you mentioned when I was using large set of events.
Wrongly, I was almost always using a main subsearch in the map, thinking the square brackets would provide a "clearer" presentation with no further impact in this context.
Obviously I never tried the exact syntax you mentioned for the macro in the map !
Thank you again for your insight.