Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reference a string variable in a search to avoid retyping it?

rpolanco
New Member
‎10-14-2014 08:37 AM

This is the search that I'm trying to do but it does not return anything. I'm trying to create a string variable and referencing it in a search so that I don't have to retype it eight times. And if I wan't to change the string, I only have to do it once.

| eval subnet="207.45.47.0/24" | search src_ip=subnet OR source_address=subnet OR src_translated_ip=subnet OR nat_source_address=subnet OR dest_ip=subnet OR destination_address=subnet OR dest_translated_ip=subnet OR nat_destination_address=subnet

Is this allowed or is there a better way of doing it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎10-14-2014 08:58 AM

You could create a search macro that takes one variable, and then plug that variable in multiple places. So for instance:

Under Settings > Advanced search > Search macros > Add new,

create a new macro for the search app that takes one argument (say, addrmacro(1))

In the Defintion section, write:

src_ip=$arg1$ OR source_address=$arg1$ OR src_translated_ip=$arg1$ OR nat_source_address=$arg1$ OR dest_ip=$arg1$ OR destination_address=$arg1$ OR dest_translated_ip=$arg1$ OR nat_destination_address=$arg1$

In the Arguments section, write arg1.

Then save it.

Now, you should be able to use it on the search bar, like addrmacro("207.45.47.0/24") with backquotes surrounding it, so Splunk knows it's a macro call. (I can't figure out how to write backquotes here, but imagine that they're there.)

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎10-14-2014 08:58 AM

You could create a search macro that takes one variable, and then plug that variable in multiple places. So for instance:

Under Settings > Advanced search > Search macros > Add new,

create a new macro for the search app that takes one argument (say, addrmacro(1))

In the Defintion section, write:

src_ip=$arg1$ OR source_address=$arg1$ OR src_translated_ip=$arg1$ OR nat_source_address=$arg1$ OR dest_ip=$arg1$ OR destination_address=$arg1$ OR dest_translated_ip=$arg1$ OR nat_destination_address=$arg1$

In the Arguments section, write arg1.

Then save it.

Now, you should be able to use it on the search bar, like addrmacro("207.45.47.0/24") with backquotes surrounding it, so Splunk knows it's a macro call. (I can't figure out how to write backquotes here, but imagine that they're there.)

Reply
Solved! Jump to solution

rpolanco
New Member
‎10-14-2014 09:34 AM

Got it to work; I forgot the bacquotes.

Thanks

0 Karma
Reply
Solved! Jump to solution

rpolanco
New Member
‎10-14-2014 09:22 AM

I tried creating the macro and the search still does not return anything even if a type a specific IP instead of the subnet. This is the search:

subnet("207.45.47.0/24")

Not sure why it's not returning anything. The fields in the macro's definition match exactly.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2014 09:11 AM

This is a good answer, but will still fail to return anything if the fields don't exactly match the argument. My crystal ball is a little cloudy, but I believe the OP needs to use a pattern (207.45.47.*) instead of a CIDR.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

aweitzman
Motivator
‎10-14-2014 09:15 AM

You're probably right. The OP will likely want to combine both answers to get what they really want.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2014 08:55 AM

That should work, assuming the fields you are trying to match contain the exact string "207.45.47.0/24". If you are trying to do a CIDR match you need to use the cidrmatch eval function or change your 'subnet' string to "207.45.47.*".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top