Splunk Search

How to pass parameter from savedsearch to a macro (inside the savedsearch) ?

highsplunker
Contributor

hey guys,

i'm stuck with this macro problem, where i cannot run a savedsearch with a macro inside it.

1. i have a savedsearch like this:

.... | eval param1="777" | `myMacro("$param1$")`

2. myMacro is configured like this:

eval mySqlQuery="select * from myTable where someField like ".$param1$." and otherField=='abc' "

3. i doesn't work. main error i face is this:

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'mySavedSearch': Error while replacing variable name='param1'. Could not find variable in the argument map..

The closest info i've found is this (which works perfectly in the shown example, but not in my case - and i don't understand why):

https://community.splunk.com/t5/Knowledge-Management/How-do-I-make-macro-arguments-get-parsed-as-fie...

 

i mean, i tried many options with macro and savedsearch configuration (with $-s and "-s), unsuccessfully so far.

P.S. maybe this is important: i try to run a savedsearch, and the guys in the link above just run a search (which i tried as well - and it's OK). anyway, i don't know how to fix my savedsearch scenario...

Labels (4)
0 Karma
1 Solution

highsplunker
Contributor

SOLVED 🙂 silly mistake actually. changed the macro to this:

| eval myVal="--"
| `myMacroRASHID2(myVal)`

 

 

View solution in original post

0 Karma

highsplunker
Contributor

SOLVED 🙂 silly mistake actually. changed the macro to this:

| eval myVal="--"
| `myMacroRASHID2(myVal)`

 

 

0 Karma
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...