Splunk Search

macro with parameter as eval-base definition

eranhauser
Path Finder

My main query looks like:
...| stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP...
| eval empID=`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)` 

My macro definition is:
index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ | sort - _time | head 1| table event.Who_Is_It

My questions are:
1. How can I make my macro, my_macro, returns a String which is the value of event.Who_IS_It ?

2. Is the way I assign the macro returned value to param name empID is the right way?

Labels (1)
0 Karma

eranhauser
Path Finder

The query works great if I pass to the macro values and not params:
trim(`my_macro("8.8.8.8", 1642031990)`) but once  try to use params I get the errors

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How are you passing the parameters?

0 Karma

eranhauser
Path Finder

 eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)

0 Karma

eranhauser
Path Finder

My query looks like:
... | stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP ... | eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME$)`)

 

 

0 Karma

eranhauser
Path Finder

I found the issue: The macro should be a little different:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\"" | table search]

The problem now is that I get error passing parameters.
| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)
Invalid value "$SESSION_START_TIME$" for time term 'latest' 

Any idea what is wrong?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need $ around the field names you are passing into the macro

| eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)
0 Karma

eranhauser
Path Finder

After removing the $ I get the following error:
Invalid value "SESSION_START_TIME" for time term 'latest'

0 Karma

eranhauser
Path Finder

I created the macro as a subsearch as you suggested below:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

and when I call it on Splunk UI : 

`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`

I got the results I mentioned above

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

On the splunk search UI call it like this

| makeresults
| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try setting your macro up like this:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

You may also need to trim the result

| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)
0 Karma

eranhauser
Path Finder

Something strange is going on. When I run the query of the macro as you suggested on Splunk UI (as a subsearch) I got zero results back. If I remove the last part of "| rename" I got 11 results back as if it ignore the "| head 1". When I run it NOT as a subsearch I got one result as expected. 
What should I do to fix it?

Why is that?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean "as a subsearch"? Can you share exactly what you have in the search in a code block </>

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...