Hoping to use a macro to simplify search terms as follows:
index=my_index sourcetype=my_sourcetype splunk_servers=`splunk_domain(west)`
A macro is set up to take one argument, $splunk_domain$, and the definition is currently as follows:
case(tostring($splunk_domain$)=="west","*.domain.west",tostring($splunk_domain$)=="east","*.domain.east",tostring($splunk_domain$)=="corp","*.domain.corp",true(),*)
Use eval-based definition option is enabled. I have tried several different combinations of double quotes and the tostring() function on both the case conditions and outputs. I have also tried changing the definition to
eval splunk_server= case(tostring($splunk_domain$)=="west", "*.domain.west",tostring($splunk_domain$)=="east", "*.domain.east",tostring($splunk_domain$)=="corp","*.domain.corp",true(),*)
and changing the search to
index=my_index sourcetype=my_sourcetype `splunk_domain(west)`
This all seems to return the same "expected string" error message. Doing all this from the GUI as I don't have access to macros.conf.
Is this a valid use of macros, and if so, what needs to change so that the expected string is returned?
... View more