Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to parse macro name from map command

weidertc
Communicator
‎01-18-2019 07:57 AM

I have a lookup table with a field that contains a macro name. the rows returned from the lookup table dictate which macro needs to run based on the user selection of an input dropdown. I need to get the query to parse the macro and then run the search.

I'm open to different way to accomplish this, but the docs claim map command can do this.

test.csv

id, name
1, macro1

query

| inputlookup test.csv | map [`$name$`] maxsearches=10000

I get no results. It is going in a dashboard too, so i put $$name$$ there, and i get nothing. I tried using the other map syntax using "" instead of [], but everything to no avail.

How can I accomplish this?

Chris

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-18-2019 09:11 PM

@weidertc,

Below works with a macro in a dashboard

     <search>
        <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
     </search>

Based on the user selection, one of the macros is selected and run the search defined in the macro

XML

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Alternatively, if you dont have a large number of macros, you could directly add them to the dropdown or load it to the dropdown from lookup and use the macro name directly instead using a map

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="internal">1</choice>
      <choice value="introspection">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>`$macro$`</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

weidertc
Communicator
‎02-02-2022 09:00 AM

If you're not using a dashboard, this solution will work.

The map command cannot parse macros passed to it; however, it can use its own macro with a parameter and parse spl passed to it, even if the spl is a macro.

This does not work:

 

| makeresults count=1
| eval Search="`searchMacro`"
| map search="search $Search$ earliest=@h-1h latest=@m" maxsearches=10

 

This works:

 

| makeresults count=1
| eval Search="`searchMacro`"
| map search="search `Map($Search$)` earliest=@h-1h latest=@m" maxsearches=10

 

You will have to make the Map(1) macro which will function only as a pass-through.

in macro `Map(1)`, set Definition=$map$; Arguments=map.  That's it.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-18-2019 09:11 PM

@weidertc,

Below works with a macro in a dashboard

     <search>
        <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
     </search>

Based on the user selection, one of the macros is selected and run the search defined in the macro

XML

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="1">1</choice>
      <choice value="2">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Alternatively, if you dont have a large number of macros, you could directly add them to the dropdown or load it to the dropdown from lookup and use the macro name directly instead using a map

<form>
  <label>MACROS</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="macro">
      <label>Macro</label>
      <choice value="internal">1</choice>
      <choice value="introspection">2</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>`$macro$`</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

weidertc
Communicator
‎01-22-2019 06:06 AM

thanks. this works. I like the [] syntax better so I don't have to escape the double quotes, but this will do. the dropdown is dynamically created so unfortunately I need the map.

Do I have to add a |s suffix to other internal variables (e.g. $var|s$) so user input of var will have its double quotes escaped?

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!