Solved: Why nested macros using the same argument wont wor...

joshiro · ‎03-03-2023

We have this scenario where two nested macros using the same argument raises an error at the parsing of the second one because of the double quotes in the arguments dissapear.

If we define the two macros as the following:
"test_args2(1)" -> `test_args("$args$")`
"test_args(1)" -> | eval arguments = $args$

And then run the following search:

| makeresults
`test_arguments2("[| makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments]")`
| table arguments

It raises the following error:

And the search log shows that after expanding the first macro then it removes the double quotations from the argument:

PARSING: | makeresults \n`test_arguments2("[| makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments]")`\n| table arguments
AFTER EXPANDING MACROS: | makeresults \n| eval arguments = [| makeresults | eval arguments = tostring(floor(relative_time(_time, @y))) | return $arguments]\n| table arguments

It doesnt work either if we scape the doble quotes as:

| makeresults
`test_arguments2("[| makeresults | eval arguments = tostring(floor(relative_time(_time, \"@y\"))) | return $arguments]")`
| table arguments

Has anyone encounter a similar issue? How did you get around it or solve it?

joshiro · ‎03-07-2023

We managed get a workaround this issue by creating a third macro with the whole string we are passing as the argument:

`args` -> | makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments

Now we can run he following SPL without the parsing error:

| makeresults
`test_arguments2("[`args`]")`
| table arguments

By using the third macro with the arguments, we avoid Splunk to parse the arguments directly and removing the double quotes.

View solution in original post

PickleRick · ‎03-07-2023

You're expanding arguments twice so you might need escaping them twice.

Like

`test_arguments2("\"[| makeresults | eval arguments = tostring(floor(relative_time(_time, \"@y\"))) | return $arguments]\"")`

The '@y' part could also use escaping backslashes so that it turns into \\\"@y\\\"

Yes, nested (un)escaping can be a PITA

joshiro · ‎03-08-2023

Thanks for the feedback.

This approach is also working correctly, no longer raises the same error when removes the double quotes from the "@y".
But it wont work if you nest the macros more than 2 times.

PickleRick · ‎03-08-2023

It should work. But you'll need so much more escaping that your head will spin since all escaped backslashes will need escaping again. (same goes often in bash scripts - my record was something similar to \\\\\\\\" 🤣)

joshiro · ‎03-08-2023

Yes, that is what we thought, but since we dont know how much nesting depth we are going to use, we just cant hardcode the escaped backslashes all the way down.

joshiro · ‎03-07-2023

We managed get a workaround this issue by creating a third macro with the whole string we are passing as the argument:

`args` -> | makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments

Now we can run he following SPL without the parsing error:

| makeresults
`test_arguments2("[`args`]")`
| table arguments

By using the third macro with the arguments, we avoid Splunk to parse the arguments directly and removing the double quotes.

Why nested macros using the same argument wont work when the argument has strings in double quotes?

other

search job inspector

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!