Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

macro with parameter as eval-base definition

eranhauser
Path Finder
‎01-17-2022 12:57 PM

My main query looks like:
...| stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP...
| eval empID=`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)` 

My macro definition is:
index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ | sort - _time | head 1| table event.Who_Is_It

My questions are:
1. How can I make my macro, my_macro, returns a String which is the value of event.Who_IS_It ?

2. Is the way I assign the macro returned value to param name empID is the right way?

Labels (1)
Labels
0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 11:17 AM

The query works great if I pass to the macro values and not params:
trim(`my_macro("8.8.8.8", 1642031990)`) but once  try to use params I get the errors

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-18-2022 11:19 AM

How are you passing the parameters?

0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 12:02 PM

 eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)

0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 10:58 AM

My query looks like:
... | stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP ... | eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME$)`)

 

 

0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 10:51 AM

I found the issue: The macro should be a little different:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\"" | table search]

The problem now is that I get error passing parameters.
| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)
Invalid value "$SESSION_START_TIME$" for time term 'latest'

Any idea what is wrong?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-18-2022 10:59 AM

You don't need $ around the field names you are passing into the macro

| eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)
0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 11:11 AM

After removing the $ I get the following error:
Invalid value "SESSION_START_TIME" for time term 'latest'

0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 09:50 AM

I created the macro as a subsearch as you suggested below:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

and when I call it on Splunk UI : 

`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`

I got the results I mentioned above

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-18-2022 10:07 AM

On the splunk search UI call it like this

| makeresults
| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-17-2022 04:10 PM

Try setting your macro up like this:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

You may also need to trim the result

| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)
0 Karma
Reply

eranhauser
Path Finder
‎01-18-2022 07:38 AM

Something strange is going on. When I run the query of the macro as you suggested on Splunk UI (as a subsearch) I got zero results back. If I remove the last part of "| rename" I got 11 results back as if it ignore the "| head 1". When I run it NOT as a subsearch I got one result as expected. 
What should I do to fix it?

Why is that?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-18-2022 08:18 AM

What do you mean "as a subsearch"? Can you share exactly what you have in the search in a code block </>

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...