Splunk Search

Why am I unable to define a working macro to convert a hexadecimal field into a binary field?

Path Finder

Hello,

I would like to define a MACRO that converts hexadecimal field into a binary fields because I often have to perform that kind of operation.

In Advanced search -> Search macros, I have add a new macro BinaryConversion:

eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

Use eval-based definition is not checked.

In my search I use it like that:

....|eval result=`BinaryConversion(STXT)`

I got the following error message:

Error in 'eval' command: The operator at 'BinaryResult=replace(STXT,"1","0001")' is invalid.

I tried directly to pass a string argument:

eval result=`BinaryConversion("1F")

but I got the same error message.

Regards

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)', the end result after the expansion will be

... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

and like the error message says, this is a syntax error. Strangely the eval result=eval is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.

View solution in original post

SplunkTrust
SplunkTrust

Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)', the end result after the expansion will be

... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

and like the error message says, this is a syntax error. Strangely the eval result=eval is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.

View solution in original post

Path Finder

Hello again,
So now I would like to have my macro that returns a string in order to use it several times in the same Splunk request. With the current diefinition The field BinaryResult is overwritten each time I call my macro

So my macro is :
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") ...

I have checked "eval-based definition"

How can I define in the Macro which value has to be returned ?
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") | return Binaryresult???

If I use the macro without having defined the value to be returned, I get the following message:
Error in 'SearchParser': The definition of macro 'BinaryConversion(1)' is expected to be an eval expression that returns a string.

Regards

0 Karma

Path Finder

Hello Sideview,
Thanks for your reply. With this correction, my macro is now working fine.

Regards

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!