- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Unable to parse macro name from map command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup table with a field that contains a macro name. the rows returned from the lookup table dictate which macro needs to run based on the user selection of an input dropdown. I need to get the query to parse the macro and then run the search.
I'm open to different way to accomplish this, but the docs claim map command can do this.
test.csv
id, name
1, macro1
query
| inputlookup test.csv | map [`$name$`] maxsearches=10000
I get no results. It is going in a dashboard too, so i put $$name$$ there, and i get nothing. I tried using the other map syntax using "" instead of [], but everything to no avail.
How can I accomplish this?
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@weidertc,
Below works with a macro in a dashboard
<search>
<query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
</search>
Based on the user selection, one of the macros is selected and run the search defined in the macro
XML
<form>
<label>MACROS</label>
<fieldset submitButton="false">
<input type="dropdown" token="macro">
<label>Macro</label>
<choice value="1">1</choice>
<choice value="2">2</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Alternatively, if you dont have a large number of macros, you could directly add them to the dropdown or load it to the dropdown from lookup and use the macro name directly instead using a map
<form>
<label>MACROS</label>
<fieldset submitButton="false">
<input type="dropdown" token="macro">
<label>Macro</label>
<choice value="internal">1</choice>
<choice value="introspection">2</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>`$macro$`</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're not using a dashboard, this solution will work.
The map command cannot parse macros passed to it; however, it can use its own macro with a parameter and parse spl passed to it, even if the spl is a macro.
This does not work:
| makeresults count=1
| eval Search="`searchMacro`"
| map search="search $Search$ earliest=@h-1h latest=@m" maxsearches=10
This works:
| makeresults count=1
| eval Search="`searchMacro`"
| map search="search `Map($Search$)` earliest=@h-1h latest=@m" maxsearches=10
You will have to make the Map(1) macro which will function only as a pass-through.
in macro `Map(1)`, set Definition=$map$; Arguments=map. That's it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@weidertc,
Below works with a macro in a dashboard
<search>
<query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
</search>
Based on the user selection, one of the macros is selected and run the search defined in the macro
XML
<form>
<label>MACROS</label>
<fieldset submitButton="false">
<input type="dropdown" token="macro">
<label>Macro</label>
<choice value="1">1</choice>
<choice value="2">2</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|inputlookup macro.csv |where id=$macro$|table name|map search="search `$$name$$`"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Alternatively, if you dont have a large number of macros, you could directly add them to the dropdown or load it to the dropdown from lookup and use the macro name directly instead using a map
<form>
<label>MACROS</label>
<fieldset submitButton="false">
<input type="dropdown" token="macro">
<label>Macro</label>
<choice value="internal">1</choice>
<choice value="introspection">2</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>`$macro$`</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. this works. I like the [] syntax better so I don't have to escape the double quotes, but this will do. the dropdown is dynamically created so unfortunately I need the map.
Do I have to add a |s suffix to other internal variables (e.g. $var|s$) so user input of var will have its double quotes escaped?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
