Splunk Search

How to pass indexes from a macro to another search

thinhdinh
Path Finder

Hello experts,

I am using makeresults command to create a macro like below:

| `get_indexes_by_args(1)`

And the macro will return the string like below:

index IN ("apps", "_apps")

Now I want to pass this macro to another macro. How can I solve it? It will be like this:

| `get_indexes_by_args("app")` "/api/" | ....

 

Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

macro can contain another macro, so write it just like first one.

`macro1(1)` which then contains `get_indexes_by_args(1)`

r. Ismo

thinhdinh
Path Finder

@isoutamo Thank you for replying, but I still don't get it. So in the second macro I write like this:

`get_indexes_by_args($index$)`....|

 And then in the search bar I write the query like below

| `the_second_macro(...)`

And it is not working. Could you show me where I was wrong? 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

isoutamo
SplunkTrust
SplunkTrust
If this solve your issue, please accept it as solution so other people also known it.
0 Karma

thinhdinh
Path Finder

To be honestly I still don't get it works, but I just accepted it as solution. Hope someone can get your idea. Cause I mentioned above, inside the first macro I use makeresults command to returned flexible indexes and I think maybe I did something wrong here. By the way I knew how to use a macro inside another macro, cause I have another one on my local splunk and it works well. Anyway thanks for your helps.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Ok, can you show your macros.conf, so we can look if we found solution to you?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...