I have a complex macro that works in 4.3 (build 115073) but not 5.0.2 (build 149561). here is an example search: `job(7165060)`

in 4.3, the search inspector shows this to be evaluated to: ( ( index=hpc_* earliest=02/26/2013:14:53:24 latest=02/26/2013:14:59:56 (_time>=1361915609 _time<= 1361915991 glory0 NOT (sourcetype=moabstats otype=job NOT jobid=7165060)) OR (sourcetype=moabstats jobid=7165060) OR (sourcetype=slurm Job_id=7165060) OR (sourcetype=joblog JobId=7165060) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd) ) )

but in 5.0:( ( "index=hpc_* earliest=02/26/2013:14:53:24 latest=02/26/2013:14:59:56 (_time>=1361915609 _time<= 1361915991 glory0 NOT (sourcetype=moabstats otype=job NOT jobid=7165060)) OR (sourcetype=moabstats jobid=7165060) OR (sourcetype=slurm Job_id=7165060) OR (sourcetype=joblog JobId=7165060) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd)" ) )

in 4.3, the appropriate events are found and displayed. in 5.0, no events are returned. The difference I note in 5.0 is the double-quotes within the outer (( )). If I cut-n-paste the stuff inside those quotes and use it as a search in 5.0, it works as it should. So my question is, how can I make the macro work in 5.0?

Another hint is that I think the 4.3 build mentioned above is 4.3.1, and I think I also saw this double-quotes issue in 4.3.4, but I am not sure and don't have a build-to-minor_version map.

The macro definition being used is exactly the same in 4.3 and 5.0:

[job(3)]

args = jobid,index,latest

definition = [search index=$index$ sourcetype=moabstats jobid=$jobid$ latest=$latest$ hosts=* NOT hosts=- | head 1 | eval end=if(start==end, now(), _time) | eval slurmStart=start-5 | eval slurmEnd=end+5 | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(slurmStart) | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(slurmEnd) | makemv delim="," hosts | mvexpand hosts | dedup hosts | mvcombine hosts | eval hostlist=mvjoin(hosts," OR ") | eval query = "index=$index$ earliest=".slurmStart." latest=".slurmEnd." (_time>=" . start . " _time<= " . end . " " . hostlist . " NOT (sourcetype=moabstats otype=job NOT jobid=$jobid$)) OR (sourcetype=moabstats jobid=$jobid$) OR (sourcetype=slurm Job_id=$jobid$) OR (sourcetype=joblog JobId=$jobid$) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd)" | fields + query]

errormsg =

iseval = 0

and yes my example above (and common usage) is a single-arg form of the macro, which uses the above 3-arg via:

[job(1)]

args = jobid

definition = job(jobid=$jobid$, index="hpc_*")

errormsg =

iseval = 0

validation =

[job(2)]

args = jobid,index

definition = job(jobid=$jobid$, index=$index$, latest=now())

errormsg =

iseval = 0

validation =