Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Macro Argument not applying

ebs
Communicator
‎05-23-2021 11:02 PM

Hi.

I've created the following macro: sessionCount(1)

With this definition:

datamodel Test summariesonly=true search | search "TEST.date"=$date$ | stats count(exchangeId)

But when I enter this search: | `sessionCount(2021-05-18)` it doesn't work

But this search does: | datamodel Test summariesonly=true search | search "TEST.date"=2021-05-18 | stats count(exchangeId)

 

What am I doing wrong?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-23-2021 11:33 PM

Hi @ebs 

check if the macro is public or private, also check all the permissions

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-23-2021 11:33 PM

Hi @ebs 

check if the macro is public or private, also check all the permissions

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎05-25-2021 03:29 PM

It seems it was a permissions issue, just took a while to propagate. Thank you!

0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎05-24-2021 03:50 PM

I fixed the permissions, but its still not working

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎05-24-2021 10:50 PM

Hi @ebs 

Can you click on the searchand digit this sequence to expand the macro?

crtl+shift+e

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:

and please share the screen

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...