Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Debugging a search ran from python script

guilhem
Contributor
‎03-25-2013 06:18 AM

Hi!

I have a complex search that uses macro, when running it in splunkweb it works fine, but when running it from the python (fill_summary_index.py), the search isn't even parsed, and I have the error:

[EventsViewer module] Error in 'search' command: Unable to parse the search: Comparator '=' is missing a term on the right hand side.

I would like to know how to debug more specifically the search (which equal is responsible for the parsing failure), and maybe why it can work when run in the web browser, but not from the script.

Here is the search (name MY_SEARCH):

index=INDEX action=AAA s=*
| join userId s [search index=INDEX action=BBB earliest=`MY_MACRO(MY_SEARCH, 20)`] 
| join userId type=outer [search index=INDEX action=BBB earliest=`M_MACRO(MY_SEARCH, 48)` latest=`MY_MACRO(MY_SEARCH, 20)` | stats max(_time) as time by userId | eval r=1]
| fillnull r
| table v userId s r
| dedup v userId r
| eval rU=if(r==1, userId, null)
| sistats dc(userId) as total dc(rU) as r by v

Here is the macro (name MY_MACRO), it is used to compute the scheduled time of the search, independently from when I run it (it takes as parameter the name of the search and get the first occurrence of it in the job list).

[| rest /services/search/jobs 
| search label="$arg1$" 
| head 1 
| eval earliest=substr(earliestTime, 1, 19)
| eval earliest=strptime(earliest,"%Y-%m-%dT%H:%M:%S")
| eval earliest=earliest-$arg2$*3600
| eval earliest=round(earliest, 0)
| return $earliest]

I think It may be a bit overkill, but I couldn't figure how to do it more easily.

Guilhem

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-25-2013 07:50 AM

I think I spotted the issue. In your macro, you are returning "$earliest". Try returning "earliest".

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-25-2013 07:50 AM

I think I spotted the issue. In your macro, you are returning "$earliest". Try returning "earliest".

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-25-2013 08:26 AM

I do believe that the $ is special within macros. I'd wager that is correct.

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 07:58 AM

OK, thank you very much.

Indeed when using the web app, you can use return $whatever, it will then return the right part of the field, BUT when used in macro it doesn't work... I have switched and now use a macro for earliest and a macro for latest, and it does indeed work.

On a side note, why is it that way? Why is the return $something not working inside a macro?

EDIT: I suppose the $ sign indicates that the macro should wait for an argument after and thus mess up the end of the search. My guess.

0 Karma
Reply
Solved! Jump to solution

guilhem
Contributor
‎03-25-2013 07:29 AM

[ft_hour_from_search_start(2)]
args = arg1, arg2
definition = [| rest /services/search/jobs | search label="$arg1$" | head 1 | eval earliest=substr(earliestTime, 1, 19)| eval earliest=strptime(earliest,"%Y-%m-%dT%H:%M:%S")| eval earliest=earliest-$arg2$*3600| eval earliest=round(earliest, 0)| return $earliest]
iseval = 0

Here it is extracted from macros.conf from the /etc/apps/my_app/local folder, is it what you asked?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-25-2013 07:18 AM

Can you provide the macro definition with stanza?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...