Splunk Search

Search Marcro - Sending Results to Macro Variable.

chrisboy68
Contributor

Hi, I'm having the hardest time trying to figure out how to pass an event field into a variable argument to be used in a macro. 

This is my test_macro accepting one argument. 

 

| eval $sub_arg$=subject | sendemail to="myemail address" format="html" server="myserver address" use_tls=1 subject= $sub_arg$

 

 

Test SPL :

|  makeresults 
|  eval subject = "Test Subject"
 `test_macro(subject)`

 

The subject comes into / validated to "subject" and not "Test Subject". What am I doing wrong?

Thank you!

Chris 

Labels (1)
Tags (1)
0 Karma

chrisboy68
Contributor

Neither work." test_macro($subject$)`", sends the literal string "$subject$" and the other fails to run.

0 Karma

me74fhfd
Path Finder

alternatively:

| makeresults
| eval subject = "Test Subject"
| `test_macro($subject$)`

0 Karma

me74fhfd
Path Finder

Can you please try this:

| makeresults
| `test_macro(subject="Test Subject")`

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...