Hello,
i have two fields Vers0 and Vers1 given in hexadecimal.
They encode the Software-Version, in the Form:
Vers0.Vers1, so e.g. Vers0 = 0f and Vers1 = 10 --> Version: 15.16
Since i will be needing this again down the line, i figured let's make a "function" that given these two fields outputs the resulting Version.
I found the following example online:
[dec2hex(1)] args = field_name definition = eval $field_name$ = tostring($field_name$, "hex") iseval = 0
Unfortunately, this is not the format i have access to, i have to use the splunk tool to make a search macro. However, i do not understand its syntax.
The docu here (click ) did not help at all.
This is my desired "logic" with the search-macro:
And then i use this "function" using the following search
base search giving me fields Vers0 and Vers1| eval version = `eval_version(Vers0, Vers1)`
but this does not lead to success.
Any insights to what i am doing wrong. I apologize for this somewhat poor describtion but splunk really is doing my head in. How can simply things be this complicated ...
Thanks guys 🙂
The following macro:
with the search
|makeresults | `eval_version(12, 73)`| table dec0 dec1 version
works now.
Note that i needed quotation symbols around $Vers0$, $Vers1$
The following macro:
with the search
|makeresults | `eval_version(12, 73)`| table dec0 dec1 version
works now.
Note that i needed quotation symbols around $Vers0$, $Vers1$
Try this macro definition.
eval dec0=tonumber($Vers0$, 16), dec1=tonumber($Vers1$, 16)| eval version=tostring(dec0).".".tostring(dec1)
Using the same search, this results in error:
Error in 'SearchParser': The definition of macro 'eval_version(2)' is expected to be an eval expression that returns a string.