Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reference a string variable in a search to avoid retyping it?

rpolanco
New Member
‎10-14-2014 08:37 AM

This is the search that I'm trying to do but it does not return anything. I'm trying to create a string variable and referencing it in a search so that I don't have to retype it eight times. And if I wan't to change the string, I only have to do it once.

| eval subnet="207.45.47.0/24" | search src_ip=subnet OR source_address=subnet OR src_translated_ip=subnet OR nat_source_address=subnet OR dest_ip=subnet OR destination_address=subnet OR dest_translated_ip=subnet OR nat_destination_address=subnet

Is this allowed or is there a better way of doing it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎10-14-2014 08:58 AM

You could create a search macro that takes one variable, and then plug that variable in multiple places. So for instance:

Under Settings > Advanced search > Search macros > Add new,

create a new macro for the search app that takes one argument (say, addrmacro(1))

In the Defintion section, write:

src_ip=$arg1$ OR source_address=$arg1$ OR src_translated_ip=$arg1$ OR nat_source_address=$arg1$ OR dest_ip=$arg1$ OR destination_address=$arg1$ OR dest_translated_ip=$arg1$ OR nat_destination_address=$arg1$

In the Arguments section, write arg1.

Then save it.

Now, you should be able to use it on the search bar, like addrmacro("207.45.47.0/24") with backquotes surrounding it, so Splunk knows it's a macro call. (I can't figure out how to write backquotes here, but imagine that they're there.)

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎10-14-2014 08:58 AM

You could create a search macro that takes one variable, and then plug that variable in multiple places. So for instance:

Under Settings > Advanced search > Search macros > Add new,

create a new macro for the search app that takes one argument (say, addrmacro(1))

In the Defintion section, write:

src_ip=$arg1$ OR source_address=$arg1$ OR src_translated_ip=$arg1$ OR nat_source_address=$arg1$ OR dest_ip=$arg1$ OR destination_address=$arg1$ OR dest_translated_ip=$arg1$ OR nat_destination_address=$arg1$

In the Arguments section, write arg1.

Then save it.

Now, you should be able to use it on the search bar, like addrmacro("207.45.47.0/24") with backquotes surrounding it, so Splunk knows it's a macro call. (I can't figure out how to write backquotes here, but imagine that they're there.)

Reply
Solved! Jump to solution

rpolanco
New Member
‎10-14-2014 09:34 AM

Got it to work; I forgot the bacquotes.

Thanks

0 Karma
Reply
Solved! Jump to solution

rpolanco
New Member
‎10-14-2014 09:22 AM

I tried creating the macro and the search still does not return anything even if a type a specific IP instead of the subnet. This is the search:

subnet("207.45.47.0/24")

Not sure why it's not returning anything. The fields in the macro's definition match exactly.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2014 09:11 AM

This is a good answer, but will still fail to return anything if the fields don't exactly match the argument. My crystal ball is a little cloudy, but I believe the OP needs to use a pattern (207.45.47.*) instead of a CIDR.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

aweitzman
Motivator
‎10-14-2014 09:15 AM

You're probably right. The OP will likely want to combine both answers to get what they really want.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2014 08:55 AM

That should work, assuming the fields you are trying to match contain the exact string "207.45.47.0/24". If you are trying to do a CIDR match you need to use the cidrmatch eval function or change your 'subnet' string to "207.45.47.*".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...