Splunk Search

How to use the lookup table into a macro with parameters?

rafamss
Contributor

I have a lookup table with filters and SPLs columns/values by product/client. I want to use a macro passing the product/client as an argument, and the result should be the entire filter or SPLs. Is there any way to do it?

For example:

 

index=X
`mymacro(productA)`

 


mymacro definition should return the values in the lookup table related to the productA.

The search above should return all the fields, commands, and so on related to this productA and execute the search.

Labels (6)
0 Karma

rafamss
Contributor

Thank you all for the help but let me be more specifically.

Macro definition: mymacro(1) - Based on the customer name, it should returns some fields, such as index, sourcetype, filters and so on.

| eval customer="$arg1$" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields use_case_data_source | head 1

  Search: The field returned by the macro, should fill the index field in the search.

`mymacro(client_01)`
index=use_case_data_source


Using Job Inspector, the eventSearch field is filled like this:

search | eval customer="client_01" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields + use_case_data_source | search index=use_case_data_source

 
Maybe, I'm missing something or I'm a little rusty.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rafamss,

create you own search using the lookup, then, when you're sure, move the part of the search in the macro definition, choosing the correct parameters to pass, e.g. if you have 

index=X [ | inputlookup my_lookup.csv WHERE product=productA | fields client ]
| ...

it becames:

macro:

[ | inputlookup my_lookup.csv WHERE product=$product$ | fields client ]

search:

index=X `mymacro(productA)`

Beware to identify all the possible choices, e.g. if you can pass a product or a client, you have to pass two parameters to the macro, e.g. 

[ | inputlookup my_lookup.csv WHERE $field$=$product$ | fields client ]

and the search becames:

index=X `mymacro(product,productA)`

All depends on the content of the macro, for this reason I hint before to try the search without macro,

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

There are some limitations to use macros inside macros, but in most cases you could do almost everything with macros instead of writing directly SPL code.

@woodcock if I recall right you have some really nice presentation about how to use macros for looping etc? Can you share the link to it?

woodcock
Esteemed Legend

richgalloway
SplunkTrust
SplunkTrust

There's nothing magical about macros.  If you can do it in SPL then it's trivial to make the SPL into a macro.  Unfortunately, I'm fairly certain this cannot be done.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...