Solved: Don't get eval based macros

andersmholmgren · ‎12-08-2011

I just can't seem to understand how the eval based macros are supposed to work

I wrote a very simple macro

[TEST]
definition = "TEST"
iseval = 1

then a query to test the output

index=_audit | head 1 | eval test1=`TEST`  | eval test2=tostring(`TEST`) | table test*

The output is one column 'test2' with a value of Null

Why is that? Shouldn't the value be "TEST" for both columns? If not why not?

genthaler · ‎12-08-2011

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

View solution in original post

gkanapathy · ‎12-08-2011

An eval-based macro returns a string, which is substituted into the query. Your macro returns the string TEST, without quotes, so you are getting:

... | eval test1=TEST  | eval test2=tostring(TEST) | ...

In this case, TEST is used as the name of a non-existent variable. You can get what you intended either with @genthaler's answer, or by putting the quotes in the query:

... | eval test1="`TEST`"  | eval test2=tostring("`TEST`") | ...

genthaler · ‎12-09-2011

Hi @gkanapathy,
I just tried it, unfortunately quoted macro invocations don't get invoked.
So instead of "TEST", you end up with the literal string "`TEST`".

genthaler · ‎12-08-2011

Try this:

[TEST]
definition = "\"TEST\""
iseval = 1

Don't get eval based macros

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!