Solved: How to reference a string variable in a search to ...

rpolanco · ‎10-14-2014

This is the search that I'm trying to do but it does not return anything. I'm trying to create a string variable and referencing it in a search so that I don't have to retype it eight times. And if I wan't to change the string, I only have to do it once.

| eval subnet="207.45.47.0/24" | search src_ip=subnet OR source_address=subnet OR src_translated_ip=subnet OR nat_source_address=subnet OR dest_ip=subnet OR destination_address=subnet OR dest_translated_ip=subnet OR nat_destination_address=subnet

Is this allowed or is there a better way of doing it?

aweitzman · ‎10-14-2014

You could create a search macro that takes one variable, and then plug that variable in multiple places. So for instance:

Under Settings > Advanced search > Search macros > Add new,

create a new macro for the search app that takes one argument (say, addrmacro(1))

In the Defintion section, write:

src_ip=$arg1$ OR source_address=$arg1$ OR src_translated_ip=$arg1$ OR nat_source_address=$arg1$ OR dest_ip=$arg1$ OR destination_address=$arg1$ OR dest_translated_ip=$arg1$ OR nat_destination_address=$arg1$

In the Arguments section, write arg1.

Then save it.

Now, you should be able to use it on the search bar, like addrmacro("207.45.47.0/24") with backquotes surrounding it, so Splunk knows it's a macro call. (I can't figure out how to write backquotes here, but imagine that they're there.)

View solution in original post

aweitzman · ‎10-14-2014

You could create a search macro that takes one variable, and then plug that variable in multiple places. So for instance:

Under Settings > Advanced search > Search macros > Add new,

create a new macro for the search app that takes one argument (say, addrmacro(1))

In the Defintion section, write:

src_ip=$arg1$ OR source_address=$arg1$ OR src_translated_ip=$arg1$ OR nat_source_address=$arg1$ OR dest_ip=$arg1$ OR destination_address=$arg1$ OR dest_translated_ip=$arg1$ OR nat_destination_address=$arg1$

In the Arguments section, write arg1.

Then save it.

Now, you should be able to use it on the search bar, like addrmacro("207.45.47.0/24") with backquotes surrounding it, so Splunk knows it's a macro call. (I can't figure out how to write backquotes here, but imagine that they're there.)

rpolanco · ‎10-14-2014

Got it to work; I forgot the bacquotes.

Thanks

rpolanco · ‎10-14-2014

I tried creating the macro and the search still does not return anything even if a type a specific IP instead of the subnet. This is the search:

subnet("207.45.47.0/24")

Not sure why it's not returning anything. The fields in the macro's definition match exactly.

richgalloway · ‎10-14-2014

This is a good answer, but will still fail to return anything if the fields don't exactly match the argument. My crystal ball is a little cloudy, but I believe the OP needs to use a pattern (207.45.47.*) instead of a CIDR.

---
If this reply helps you, Karma would be appreciated.

aweitzman · ‎10-14-2014

You're probably right. The OP will likely want to combine both answers to get what they really want.

richgalloway · ‎10-14-2014

That should work, assuming the fields you are trying to match contain the exact string "207.45.47.0/24". If you are trying to do a CIDR match you need to use the cidrmatch eval function or change your 'subnet' string to "207.45.47.*".

---
If this reply helps you, Karma would be appreciated.

How to reference a string variable in a search to avoid retyping it?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM