Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Usage of fieldname and field value for a foreach macro

esmond
Engager
‎10-04-2020 11:52 PM

Hi,

I am trying to produce a macro with an event summary that would contain both the field name and field value and a single field

my query is as follows:

 

| makeresults 
| eval time="2020-10-05 05:44:27" 
| eval file="Generic.exe" 
| eval signature="Generic" 
| eval Event_Summary="" 
| foreach time file signature 
    [ eval Event_Summary=Event_Summary."|"."<<FIELD>>".": ".'<<FIELD>>'] 
| eval Event_Summary=split(Event_Summary,"|")

 

how do i make the macro such that the arguments i throw in, will become the fields in the foreach statement?
The macro i have tried to create is :

 

| eval Event_Summary=""
| foreach $fields$
    [ eval Event_Summary=Event_Summary."|"."<<FIELD>>".": ".'<<FIELD>>']
| eval Event_Summary=split(Event_Summary,"|")

 

Hoping to achieve the below:

 

| makeresults 
| eval time="2020-10-05 05:44:27" 
| eval file="Generic.exe" 
| eval signature="Generic" 
| eval fields="time file signature"
`Summarize(fields)`
|table Event_Summary

 

But i can't figure out how to change the argument string to fields

Edit:

one more condition is that i would want the macro to be flexible in being able to take in any number of fields and not just a fixed number of 3 fields/arguments.

 

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎10-05-2020 12:52 AM 
| makeresults 
| eval time="2020-10-05 05:44:27" 
| eval file="Generic.exe" 
| eval signature="Generic" 
`foreachFields(_time,signature,file)`
|table Event_Summary

you can rename the macro name as you wish.

thambisetty_0-1601884304321.png

 

————————————
If this helps, give a like below.
Reply

esmond
Engager
‎10-05-2020 12:57 AM

Hi Thambisetty,

Thanks for your reply, i neglected to include another condition, that i would want the macro to be flexible in being able to take in any number of fields and not just a fixed number of 3

I have updated my original post.

You solution does work for a fixed number of 3 arguments, perhaps would you be able to figure out with my additional condition? hehe

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...