macro - how to run macro in eval case

mrain7 · ‎03-19-2014

I made macros.

test_macro1, test_macro2

The macros are the result comes out

But macros will now run in eval case

Query statement

index = main | eval a = case (field> 1, test_macro1, field == 0, test_macro2)

Will this query should not run?

MuS · ‎03-19-2014

Hi mrain7,

no, this will only set the value of a based on the condition to either test_macro1 or test_macro2.
But you could build this as macro and provide the where statement as argument, lets start with a run everywhere example:

index=_internal | eventstats count(sourcetype) as myCount by sourcetype | where myCount<100 | timechart span=1m values(myCount) as myCount by sourcetype

this returns the count per sourcetype over time. Now we replace the where condition with a placeholder like $wherearg$ and create it as macro as described in the docs here and name it count_sourcetype.

You can now call the marco like this:

`count_sourcetype(myCount<100)`

and it will use the myCount<100 as condition of where and returns only results where the count per time range is under 100 events.

hope this helps ...

cheers, MuS

macro - how to run macro in eval case

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

macro - how to run macro in eval case

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases