Splunk Search

How to pass indexes from a macro to another search

thinhdinh
Path Finder

Hello experts,

I am using makeresults command to create a macro like below:

| `get_indexes_by_args(1)`

And the macro will return the string like below:

index IN ("apps", "_apps")

Now I want to pass this macro to another macro. How can I solve it? It will be like this:

| `get_indexes_by_args("app")` "/api/" | ....

 

Labels (1)
Tags (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

macro can contain another macro, so write it just like first one.

`macro1(1)` which then contains `get_indexes_by_args(1)`

r. Ismo

thinhdinh
Path Finder

@isoutamo Thank you for replying, but I still don't get it. So in the second macro I write like this:

`get_indexes_by_args($index$)`....|

 And then in the search bar I write the query like below

| `the_second_macro(...)`

And it is not working. Could you show me where I was wrong? 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

isoutamo
SplunkTrust
SplunkTrust
If this solve your issue, please accept it as solution so other people also known it.
0 Karma

thinhdinh
Path Finder

To be honestly I still don't get it works, but I just accepted it as solution. Hope someone can get your idea. Cause I mentioned above, inside the first macro I use makeresults command to returned flexible indexes and I think maybe I did something wrong here. By the way I knew how to use a macro inside another macro, cause I have another one on my local splunk and it works well. Anyway thanks for your helps.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Ok, can you show your macros.conf, so we can look if we found solution to you?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...