Solved: I have developed a good search, but need to notify...

rcole2 · ‎04-10-2017

Snippet of search
SEARCH
| eval runmacro = if(deltadif="NO","TurnTimeRecovered","TurnTimeWarning")
runmacro

comment(" +++++++++TurnTimeWarning | where alertnamecount>0 | where alertnamecount=(count+1) +++++++++++++++ ")

comment(" +++++++++TurnTimeRecovered | where alertnamecount=0 | head 1 | where count=1 | where deltadif = "NO" ++++++++++++ ")

The macros exist and the comments above are the exact macros. From the 'deltadif' value I need to perform one of the above macros. This runs successfully, but it appears the macro is not executing. When I run each one inline, they function as expected, but require a unique search for each.
Can a variable be set as a macro and be called; if so how? Or is there a better solution?

woodcock · ‎04-10-2017

Yes, like this:

.... | eval runmacro = if(deltadif="NO","`TurnTimeRecovered`","`TurnTimeWarning`")
| map search="search Other Stuff Here | `$runmacro$`"

View solution in original post

woodcock · ‎04-10-2017

Yes, like this:

.... | eval runmacro = if(deltadif="NO","`TurnTimeRecovered`","`TurnTimeWarning`")
| map search="search Other Stuff Here | `$runmacro$`"

woodcock · ‎04-10-2017

You can turn this inside-out and do the same thing with a subsearch:
http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchTutorial/Useasubsearch

The 2 templatizing approaches are map and subsearch.

rcole2 · ‎04-12-2017

That's what I wasn't considering -- running separate search. Thanks for the guidance; it does appear to give me what I'm looking for.

I have developed a good search, but need to notify a recovery or alert depending on the output of the search. The difference between the two outcomes is just a couple of lines that I have not been able to configure in a single search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes