Hello,
Could someone explain what am I doing wrong in using a macro ?
Here is the macros.conf file
[GET_IP]
definition = 127.0.0.1
The search query I intend to use is :
source="mySource" AND object.ip_address='GET_IP'
However, if I paste the above query in the search bar I obtain no result . On the other hand if I do the same thing for the expanded query (source="mySource" AND object.ip_address=127.0.0.1)
I get all the events back .
You need to use backticks, not quotes, and probably make it eval macro.
macros.conf
[GET_IP]
definition = "\"127.0.0.1\""
iseval = true
source="mySource" object.ip_address=
You need to use backticks, not quotes, and probably make it eval macro.
macros.conf
[GET_IP]
definition = "\"127.0.0.1\""
iseval = true
source="mySource" object.ip_address=
Thanks .Worked with : definition = "127.0.0.1"
try your initial definition.
Thanks. I'm still getting an error back . This time is "Error in 'SearchParser': The definition of macro 'GET_IP' is expected to be an eval expression that returns a string"
try this url: http://your_splunk:8000/en-US/debug/refresh/?entity=admin/macros
and then try your search again.
The "backtip " opened my eyes about how to properly use a macro in a search. Now I obtain an error : Error in 'SearchParser': Could not find macro 'GET_IP' that takes 0 arguments. Expecting stanza name 'GET_IP'.