Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass indexes from a macro to another search

thinhdinh
Path Finder
‎07-10-2020 01:05 AM

Hello experts,

I am using makeresults command to create a macro like below:

| `get_indexes_by_args(1)`

And the macro will return the string like below:

index IN ("apps", "_apps")

Now I want to pass this macro to another macro. How can I solve it? It will be like this:

| `get_indexes_by_args("app")` "/api/" | ....

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 08:40 AM

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-10-2020 05:58 AM

Hi

macro can contain another macro, so write it just like first one.

`macro1(1)` which then contains `get_indexes_by_args(1)`

r. Ismo

Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-13-2020 05:33 AM

@isoutamo Thank you for replying, but I still don't get it. So in the second macro I write like this:

`get_indexes_by_args($index$)`....|

 And then in the search bar I write the query like below

| `the_second_macro(...)`

And it is not working. Could you show me where I was wrong? 

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 08:40 AM

1st macro 

macro1(1)

sourcetype=$st$

parameter named as st

2nd macro

macro2(1)

`macro1($st$)`

parameter as st

call it as 

index=_internal `macro2(splunkd)`

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 01:07 PM
If this solve your issue, please accept it as solution so other people also known it.
0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-16-2020 04:34 AM

To be honestly I still don't get it works, but I just accepted it as solution. Hope someone can get your idea. Cause I mentioned above, inside the first macro I use makeresults command to returned flexible indexes and I think maybe I did something wrong here. By the way I knew how to use a macro inside another macro, cause I have another one on my local splunk and it works well. Anyway thanks for your helps.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-16-2020 12:11 PM

Ok, can you show your macros.conf, so we can look if we found solution to you?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...