Solved: How to pass parameter from savedsearch to a macro ...

highsplunker · ‎06-22-2023

hey guys,

i'm stuck with this macro problem, where i cannot run a savedsearch with a macro inside it.

1. i have a savedsearch like this:

.... | eval param1="777" | `myMacro("$param1$")`

2. myMacro is configured like this:

eval mySqlQuery="select * from myTable where someField like ".$param1$." and otherField=='abc' "

3. i doesn't work. main error i face is this:

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'mySavedSearch': Error while replacing variable name='param1'. Could not find variable in the argument map..

The closest info i've found is this (which works perfectly in the shown example, but not in my case - and i don't understand why):

https://community.splunk.com/t5/Knowledge-Management/How-do-I-make-macro-arguments-get-parsed-as-fie...

i mean, i tried many options with macro and savedsearch configuration (with $-s and "-s), unsuccessfully so far.

P.S. maybe this is important: i try to run a savedsearch, and the guys in the link above just run a search (which i tried as well - and it's OK). anyway, i don't know how to fix my savedsearch scenario...

highsplunker · ‎06-22-2023

SOLVED 🙂 silly mistake actually. changed the macro to this:

| eval myVal="--"
| `myMacroRASHID2(myVal)`

View solution in original post

highsplunker · ‎06-22-2023

SOLVED 🙂 silly mistake actually. changed the macro to this:

| eval myVal="--"
| `myMacroRASHID2(myVal)`

How to pass parameter from savedsearch to a macro (inside the savedsearch) ?

eval

fields

other

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?