Solved: Why am I unable to define a working macro to conve...

clorne · ‎10-15-2015

Hello,

I would like to define a MACRO that converts hexadecimal field into a binary fields because I often have to perform that kind of operation.

In Advanced search -> Search macros, I have add a new macro BinaryConversion:

eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

Use eval-based definition is not checked.

In my search I use it like that:

....|eval result=`BinaryConversion(STXT)`

I got the following error message:

Error in 'eval' command: The operator at 'BinaryResult=replace(STXT,"1","0001")' is invalid.

I tried directly to pass a string argument:

eval result=`BinaryConversion("1F")

but I got the same error message.

Regards

sideview · ‎10-15-2015

Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)', the end result after the expansion will be

... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

and like the error message says, this is a syntax error. Strangely the eval result=eval is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.

View solution in original post

sideview · ‎10-15-2015

Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)', the end result after the expansion will be

... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

and like the error message says, this is a syntax error. Strangely the eval result=eval is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.

clorne · ‎10-19-2015

Hello again,
So now I would like to have my macro that returns a string in order to use it several times in the same Splunk request. With the current diefinition The field BinaryResult is overwritten each time I call my macro

So my macro is :
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") ...

I have checked "eval-based definition"

How can I define in the Macro which value has to be returned ?
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") | return Binaryresult???

If I use the macro without having defined the value to be returned, I get the following message:
Error in 'SearchParser': The definition of macro 'BinaryConversion(1)' is expected to be an eval expression that returns a string.

Regards

clorne · ‎10-19-2015

Hello Sideview,
Thanks for your reply. With this correction, my macro is now working fine.

Regards

Why am I unable to define a working macro to convert a hexadecimal field into a binary field?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM