Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to define a working macro to convert a hexadecimal field into a binary field?

clorne
Communicator
‎10-15-2015 05:37 AM

Hello,

I would like to define a MACRO that converts hexadecimal field into a binary fields because I often have to perform that kind of operation.

In Advanced search -> Search macros, I have add a new macro BinaryConversion:

eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

Use eval-based definition is not checked.

In my search I use it like that:

....|eval result=`BinaryConversion(STXT)`

I got the following error message:

Error in 'eval' command: The operator at 'BinaryResult=replace(STXT,"1","0001")' is invalid.

I tried directly to pass a string argument:

eval result=`BinaryConversion("1F")

but I got the same error message.

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-15-2015 09:51 AM

Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)', the end result after the expansion will be 

... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

and like the error message says, this is a syntax error. Strangely the eval result=eval is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-15-2015 09:51 AM

Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)', the end result after the expansion will be 

... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......

and like the error message says, this is a syntax error. Strangely the eval result=eval is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.

Reply
Solved! Jump to solution

clorne
Communicator
‎10-19-2015 02:37 AM

Hello again,
So now I would like to have my macro that returns a string in order to use it several times in the same Splunk request. With the current diefinition The field BinaryResult is overwritten each time I call my macro

So my macro is :
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") ...

I have checked "eval-based definition"

How can I define in the Macro which value has to be returned ?
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") | return Binaryresult???

If I use the macro without having defined the value to be returned, I get the following message:
Error in 'SearchParser': The definition of macro 'BinaryConversion(1)' is expected to be an eval expression that returns a string.

Regards

0 Karma
Reply
Solved! Jump to solution

clorne
Communicator
‎10-19-2015 01:47 AM

Hello Sideview,
Thanks for your reply. With this correction, my macro is now working fine.

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...