Solved: Using mvappend within a cidrmatch macro

CarbonCriterium · ‎06-30-2021

I already have the following macro `subnet(3)` defined as the following:

| eval subnet = case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$")

If I call the macro multiple in the same search the value of the field it creates (also called subnet) will be overwritten by the latest values. I would like to edit the macro so that calling it multiple times appends a new value to subnet. How could I use mvappend, or another command, to accomplish this?

CarbonCriterium · ‎06-30-2021

Never mind. Figuring it out just required taking a step back and reading the docs again.

| eval subnet = mvappend(case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$"),subnet)

View solution in original post

CarbonCriterium · ‎06-30-2021

Never mind. Figuring it out just required taking a step back and reading the docs again.

| eval subnet = mvappend(case(cidrmatch("$ip1$/24",src_ip), "$output_name$", cidrmatch("$ip2$",src_ip), "$output_name$"),subnet)

Using mvappend within a cidrmatch macro

eval

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials