Solved: Using mvappend within a cidrmatch macro

CarbonCriterium · ‎06-30-2021

I already have the following macro `subnet(3)` defined as the following:

| eval subnet = case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$")

If I call the macro multiple in the same search the value of the field it creates (also called subnet) will be overwritten by the latest values. I would like to edit the macro so that calling it multiple times appends a new value to subnet. How could I use mvappend, or another command, to accomplish this?

CarbonCriterium · ‎06-30-2021

Never mind. Figuring it out just required taking a step back and reading the docs again.

| eval subnet = mvappend(case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$"),subnet)

View solution in original post

CarbonCriterium · ‎06-30-2021

Never mind. Figuring it out just required taking a step back and reading the docs again.

| eval subnet = mvappend(case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$"),subnet)

Using mvappend within a cidrmatch macro

eval

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Using mvappend within a cidrmatch macro

eval

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025