We have this scenario where two nested macros using the same argument raises an error at the parsing of the second one because of the double quotes in the arguments dissapear.
If we define the two macros as the following:
"test_args2(1)" -> `test_args("$args$")`
"test_args(1)" -> | eval arguments = $args$
And then run the following search:
| makeresults
`test_arguments2("[| makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments]")`
| table arguments
It raises the following error:
And the search log shows that after expanding the first macro then it removes the double quotations from the argument:
PARSING: | makeresults \n`test_arguments2("[| makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments]")`\n| table arguments AFTER EXPANDING MACROS: | makeresults \n| eval arguments = [| makeresults | eval arguments = tostring(floor(relative_time(_time, @y))) | return $arguments]\n| table arguments
It doesnt work either if we scape the doble quotes as:
| makeresults
`test_arguments2("[| makeresults | eval arguments = tostring(floor(relative_time(_time, \"@y\"))) | return $arguments]")`
| table arguments
Has anyone encounter a similar issue? How did you get around it or solve it?
We managed get a workaround this issue by creating a third macro with the whole string we are passing as the argument:
`args` -> | makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments
Now we can run he following SPL without the parsing error:
| makeresults
`test_arguments2("[`args`]")`
| table arguments
By using the third macro with the arguments, we avoid Splunk to parse the arguments directly and removing the double quotes.
You're expanding arguments twice so you might need escaping them twice.
Like
`test_arguments2("\"[| makeresults | eval arguments = tostring(floor(relative_time(_time, \"@y\"))) | return $arguments]\"")`
The '@y' part could also use escaping backslashes so that it turns into \\\"@y\\\"
Yes, nested (un)escaping can be a PITA
Thanks for the feedback.
This approach is also working correctly, no longer raises the same error when removes the double quotes from the "@y".
But it wont work if you nest the macros more than 2 times.
It should work. But you'll need so much more escaping that your head will spin since all escaped backslashes will need escaping again. (same goes often in bash scripts - my record was something similar to \\\\\\\\" 🤣)
Yes, that is what we thought, but since we dont know how much nesting depth we are going to use, we just cant hardcode the escaped backslashes all the way down.
We managed get a workaround this issue by creating a third macro with the whole string we are passing as the argument:
`args` -> | makeresults | eval arguments = tostring(floor(relative_time(_time, "@y"))) | return $arguments
Now we can run he following SPL without the parsing error:
| makeresults
`test_arguments2("[`args`]")`
| table arguments
By using the third macro with the arguments, we avoid Splunk to parse the arguments directly and removing the double quotes.