Splunk Search

How to pass indexes from a macro to another search

thinhdinh
Path Finder

Hello experts,

I am using makeresults command to create a macro like below:

| `get_indexes_by_args(1)`

And the macro will return the string like below:

index IN ("apps", "_apps")

Now I want to pass this macro to another macro. How can I solve it? It will be like this:

| `get_indexes_by_args("app")` "/api/" | ....

 

Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

macro can contain another macro, so write it just like first one.

`macro1(1)` which then contains `get_indexes_by_args(1)`

r. Ismo

thinhdinh
Path Finder

@isoutamo Thank you for replying, but I still don't get it. So in the second macro I write like this:

`get_indexes_by_args($index$)`....|

 And then in the search bar I write the query like below

| `the_second_macro(...)`

And it is not working. Could you show me where I was wrong? 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

isoutamo
SplunkTrust
SplunkTrust
If this solve your issue, please accept it as solution so other people also known it.
0 Karma

thinhdinh
Path Finder

To be honestly I still don't get it works, but I just accepted it as solution. Hope someone can get your idea. Cause I mentioned above, inside the first macro I use makeresults command to returned flexible indexes and I think maybe I did something wrong here. By the way I knew how to use a macro inside another macro, cause I have another one on my local splunk and it works well. Anyway thanks for your helps.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Ok, can you show your macros.conf, so we can look if we found solution to you?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...