Splunk Search

Iteration with macro: How to declare a variable in Macro?

tehong
Explorer

Hi Experts

When using the following eval, I would like to declare a variable in macro as in create_var(3).

| eval var_1 = if(isnull(var_1),"", var_1) , var_2 = if(isnull(var_2),"", var_2), var_3 = if(isnull(var_3),"", var_3) 

In some cases, we want to use MACRO because we need to define more than 30 variables.
I am thinking that I can use foreach or map in the macro, but I am not sure how to do it.

Any advice you could give me would be greatly appreciated!

Labels (2)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Well, foreach runs a streaming subsearch for each of the fields extracted from the event matching the list.

In your case, the fields are supposedly null so they would not match the foreach command.

Use fillnull with a field list.

| filnull value="" field1 field2 field3 ...

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Well, foreach runs a streaming subsearch for each of the fields extracted from the event matching the list.

In your case, the fields are supposedly null so they would not match the foreach command.

Use fillnull with a field list.

| filnull value="" field1 field2 field3 ...

kamlesh_vaghela
SplunkTrust
SplunkTrust

@tehong 

You can create macros for this.. Please check below conf and search.

macros.conf

[foreach_macro]
definition = foreach var_* [|eval <<FIELD>> = if(isnull(<<FIELD>>),"-",<<FIELD>>)]
iseval = 0

 

My Sample Search :

| makeresults count=10 
| eval a = 1 
| accum a 
| eval var_{a}="", var_{a} = if(a%2==0,"val".a,null()) 
| rename comment as "Upto now is for sample data only" 
| `foreach_macro`

 

Here I would also suggest fillnull command. Please check below search for same.

| makeresults count=10 
| eval a = 1 
| accum a 
| eval var_{a}="", var_{a} = if(a%2==0,"val".a,null()) 
|rename comment as "Upto now is for sample data only" 
| fillnull value=":)"

https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Fillnull

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I would suggest a simple macro (macros.conf):

[evaluate_null_field(1)]
args = field
definition = eval "$field$" = if(isnull('$field$'), "", '$field')
iseval = 0

 

Use like:

<Your search>
| `evaluate_null_field(var_1)`
| `evaluate_null_field(var_2)`
| `evaluate_null_field(var_3)`
| `evaluate_null_field(var_4)`

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...