Splunk Search

troublesome double-quotes in macro/subsearch expansion

jrstear
Path Finder

I have a complex macro that works in 4.3 (build 115073) but not 5.0.2 (build 149561). here is an example search: `job(7165060)`

in 4.3, the search inspector shows this to be evaluated to: ( ( index=hpc_* earliest=02/26/2013:14:53:24 latest=02/26/2013:14:59:56 (_time>=1361915609 _time<= 1361915991 glory0 NOT (sourcetype=moabstats otype=job NOT jobid=7165060)) OR (sourcetype=moabstats jobid=7165060) OR (sourcetype=slurm Job_id=7165060) OR (sourcetype=joblog JobId=7165060) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd) ) )

but in 5.0:( ( "index=hpc_* earliest=02/26/2013:14:53:24 latest=02/26/2013:14:59:56 (_time>=1361915609 _time<= 1361915991 glory0 NOT (sourcetype=moabstats otype=job NOT jobid=7165060)) OR (sourcetype=moabstats jobid=7165060) OR (sourcetype=slurm Job_id=7165060) OR (sourcetype=joblog JobId=7165060) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd)" ) )

in 4.3, the appropriate events are found and displayed. in 5.0, no events are returned. The difference I note in 5.0 is the double-quotes within the outer (( )). If I cut-n-paste the stuff inside those quotes and use it as a search in 5.0, it works as it should. So my question is, how can I make the macro work in 5.0?

Another hint is that I think the 4.3 build mentioned above is 4.3.1, and I think I also saw this double-quotes issue in 4.3.4, but I am not sure and don't have a build-to-minor_version map.

The macro definition being used is exactly the same in 4.3 and 5.0:

[job(3)]

args = jobid,index,latest

definition = [search index=$index$ sourcetype=moabstats jobid=$jobid$ latest=$latest$ hosts=* NOT hosts=- | head 1 | eval end=if(start==end, now(), _time) | eval slurmStart=start-5 | eval slurmEnd=end+5 | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(slurmStart) | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(slurmEnd) | makemv delim="," hosts | mvexpand hosts | dedup hosts | mvcombine hosts | eval hostlist=mvjoin(hosts," OR ") | eval query = "index=$index$ earliest=".slurmStart." latest=".slurmEnd." (_time>=" . start . " _time<= " . end . " " . hostlist . " NOT (sourcetype=moabstats otype=job NOT jobid=$jobid$)) OR (sourcetype=moabstats jobid=$jobid$) OR (sourcetype=slurm Job_id=$jobid$) OR (sourcetype=joblog JobId=$jobid$) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd)" | fields + query]

errormsg =

iseval = 0

and yes my example above (and common usage) is a single-arg form of the macro, which uses the above 3-arg via:

[job(1)]

args = jobid

definition = job(jobid=$jobid$, index="hpc_*")

errormsg =

iseval = 0

validation =

[job(2)]

args = jobid,index

definition = job(jobid=$jobid$, index=$index$, latest=now())

errormsg =

iseval = 0

validation =

0 Karma

jonuwz
Influencer

in job(3) replace

| fields + query

with

| return $query

?

jrstear
Path Finder

turns out that query is an external command was was too slow for my use - i encountered timeouts (which i could bump up). changing the variable name from query to search worked though (the implicit format handles it slightly differently) - no double quotes and WAY faster than return.

0 Karma

jonuwz
Influencer

It infuriated me too 🙂 been there / done it.
Also - accepting the answer is the normal way to assign rep, you dont have to spend your own

0 Karma

jrstear
Path Finder

ding - it works! thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...