Snippet of search
SEARCH
| eval runmacro = if(deltadif="NO"," TurnTimeRecovered "," TurnTimeWarning ")
runmacro
comment(" +++++++++TurnTimeWarning
| where alertnamecount>0
| where alertnamecount=(count+1)
+++++++++++++++ ")
comment(" +++++++++TurnTimeRecovered
| where alertnamecount=0
| head 1
| where count=1
| where deltadif = "NO"
++++++++++++ ")
The macros exist and the comments above are the exact macros. From the 'deltadif' value I need to perform one of the above macros. This runs successfully, but it appears the macro is not executing. When I run each one inline, they function as expected, but require a unique search for each.
Can a variable be set as a macro and be called; if so how? Or is there a better solution?
... View more