eval macro with a case statement errors

RVDowning · ‎10-03-2013

source="PerfMetrics" "OPEN PLAN" OSArch=64-bit PlanMode=Server |
transaction Guid startswith="OPEN PLAN START" endswith="OPEN PLAN END" |
PlanSize = PlanSize | etc, etc

(It doesn't display in the question, but there are tic marks around the second Plansize above.

with a macro of case(NumRows>0 AND NumRows<=50 AND NumDoors>=650, \"S\", NumRows>=200 AND NumRows<=250 AND NumDoors>=650 , \"M\", NumRows >500, \"L\")

I've tried both with and without escaping the quotes and also having PlanSize = in front of the case as well has having eval Plansize = in front of the case statement. Also, in the calling search I've tried eval PlanSize = PlanSize and just PlanSize

I keep getting:
Error in 'SearchParser': The definition of macro 'PlanSize' is expected to be an eval expression that returns a string.

Don't know any other combinations to try. Can this even be done using macros?

sdaniels · ‎10-03-2013

Guessing the macro will need to start with eval myString = case(NumRows>0 etc.... then after you could have | eval PlanSize = myString because myString will be a value returned from the Macro. I usually like to write the whole search out, make sure it works and then sub in the macro. That way I know the syntax and structure is correct first.

RVDowning · ‎10-03-2013

Well, guess I don't understand "Eval based expression." Once I unchecked that box it worked fine.

eval macro with a case statement errors

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases