Splunk Search

how to insert a macro name as field value if the results on the search match to a macro?

Builder

I have a query which displays some statistical results. Now I want to add a column macro_match which contains the matching macro.

like as shown below

macro_match
macro_1
macro_2

is it possible in splunk ?

I tried using the searchmatch and inserted the macro in it instead of the search string as shown below which doesn't worked.

| eval macro_match= case(searchmatch("`macro_1`"),"macro_1", searchmatch("`macro_2`"),"macro_2", true(), "None")
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi pavanae,

If I understand it correctly then you don't match on the macro command

  `macroNameHere`

but just on the string of the name like:

  | eval macro_match= case(searchmatch("macro_1"),"macro_1", searchmatch("macro_2"),"macro_2", true(), "None")

If you intend to call and run a macro this way, I don't think that is possible out of the box ... but might be wrong on that for the latest version of Splunk ¯\_(ツ)_/¯

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi pavanae,

If I understand it correctly then you don't match on the macro command

  `macroNameHere`

but just on the string of the name like:

  | eval macro_match= case(searchmatch("macro_1"),"macro_1", searchmatch("macro_2"),"macro_2", true(), "None")

If you intend to call and run a macro this way, I don't think that is possible out of the box ... but might be wrong on that for the latest version of Splunk ¯\_(ツ)_/¯

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!