Re: macro with parameter as eval-base definition

eranhauser · ‎01-17-2022

My main query looks like:
...| stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP...
| eval empID=`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`

My macro definition is:
index=my_idx event.eventID=4624 event.Come_From=$ip_address$ latest=$time$ | sort - _time | head 1| table event.Who_Is_It

My questions are:
1. How can I make my macro, my_macro, returns a String which is the value of event.Who_IS_It ?

2. Is the way I assign the macro returned value to param name empID is the right way?

eranhauser · ‎01-18-2022

The query works great if I pass to the macro values and not params:
trim(`my_macro("8.8.8.8", 1642031990)`) but once try to use params I get the errors

ITWhisperer · ‎01-18-2022

How are you passing the parameters?

eranhauser · ‎01-18-2022

eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)

eranhauser · ‎01-18-2022

My query looks like:
... | stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP ... | eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME$)`)

eranhauser · ‎01-18-2022

I found the issue: The macro should be a little different:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\"" | table search]

The problem now is that I get error passing parameters.

| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)

Invalid value "$SESSION_START_TIME$" for time term 'latest'

Any idea what is wrong?

ITWhisperer · ‎01-18-2022

You don't need $ around the field names you are passing into the macro

| eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)

eranhauser · ‎01-18-2022

After removing the $ I get the following error:
Invalid value "SESSION_START_TIME" for time term 'latest'

eranhauser · ‎01-18-2022

I created the macro as a subsearch as you suggested below:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

and when I call it on Splunk UI :

`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`

I got the results I mentioned above

ITWhisperer · ‎01-18-2022

On the splunk search UI call it like this

| makeresults
| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)

ITWhisperer · ‎01-17-2022

Try setting your macro up like this:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

You may also need to trim the result

| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)

eranhauser · ‎01-18-2022

Something strange is going on. When I run the query of the macro as you suggested on Splunk UI (as a subsearch) I got zero results back. If I remove the last part of "| rename" I got 11 results back as if it ignore the "| head 1". When I run it NOT as a subsearch I got one result as expected.
What should I do to fix it?

Why is that?

ITWhisperer · ‎01-18-2022

What do you mean "as a subsearch"? Can you share exactly what you have in the search in a code block </>

macro with parameter as eval-base definition

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation