Solved: Re: Unable to parse macro name from map command

weidertc · ‎01-18-2019

I have a lookup table with a field that contains a macro name. the rows returned from the lookup table dictate which macro needs to run based on the user selection of an input dropdown. I need to get the query to parse the macro and then run the search.

I'm open to different way to accomplish this, but the docs claim map command can do this.

test.csv

id, name
1, macro1

query

| inputlookup test.csv | map [`$name$`] maxsearches=10000

I get no results. It is going in a dashboard too, so i put $$name$$ there, and i get nothing. I tried using the other map syntax using "" instead of [], but everything to no avail.

How can I accomplish this?

Chris

renjith_nair · ‎01-18-2019

@weidertc,

Below works with a macro in a dashboard

     <search>
        <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
     </search>

Based on the user selection, one of the macros is selected and run the search defined in the macro

XML

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Alternatively, if you dont have a large number of macros, you could directly add them to the dropdown or load it to the dropdown from lookup and use the macro name directly instead using a map

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="internal">1</choice>
      <choice value="introspection">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>`$macro$`</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

weidertc · ‎02-02-2022

If you're not using a dashboard, this solution will work.

The map command cannot parse macros passed to it; however, it can use its own macro with a parameter and parse spl passed to it, even if the spl is a macro.

This does not work:

| makeresults count=1
| eval Search="`searchMacro`"
| map search="search $Search$ earliest=@h-1h latest=@m" maxsearches=10

This works:

| makeresults count=1
| eval Search="`searchMacro`"
| map search="search `Map($Search$)` earliest=@h-1h latest=@m" maxsearches=10

You will have to make the Map(1) macro which will function only as a pass-through.

in macro `Map(1)`, set Definition=$map$; Arguments=map. That's it.

renjith_nair · ‎01-18-2019

@weidertc,

Below works with a macro in a dashboard

     <search>
        <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
     </search>

Based on the user selection, one of the macros is selected and run the search defined in the macro

XML

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Alternatively, if you dont have a large number of macros, you could directly add them to the dropdown or load it to the dropdown from lookup and use the macro name directly instead using a map

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="internal">1</choice>
      <choice value="introspection">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>`$macro$`</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

weidertc · ‎01-22-2019

thanks. this works. I like the [] syntax better so I don't have to escape the double quotes, but this will do. the dropdown is dynamically created so unfortunately I need the map.

Do I have to add a |s suffix to other internal variables (e.g. $var|s$) so user input of var will have its double quotes escaped?

Unable to parse macro name from map command

XML

XML

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

Unable to parse macro name from map command

XML

XML

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud