Solved: Macro returns no result when applied

klausJohan · ‎10-11-2013

Hello,

Could someone explain what am I doing wrong in using a macro ?

Here is the macros.conf file

[GET_IP]
definition = 127.0.0.1

The search query I intend to use is :

source="mySource" AND object.ip_address='GET_IP'

However, if I paste the above query in the search bar I obtain no result . On the other hand if I do the same thing for the expanded query (source="mySource" AND object.ip_address=127.0.0.1) I get all the events back .

alacercogitatus · ‎10-11-2013

You need to use backticks, not quotes, and probably make it eval macro.

macros.conf
[GET_IP] definition = "\"127.0.0.1\"" iseval = true

source="mySource" object.ip_address=GET_IP

View solution in original post

alacercogitatus · ‎10-11-2013

You need to use backticks, not quotes, and probably make it eval macro.

macros.conf
[GET_IP] definition = "\"127.0.0.1\"" iseval = true

source="mySource" object.ip_address=GET_IP

klausJohan · ‎10-11-2013

Thanks .Worked with : definition = "127.0.0.1"

alacercogitatus · ‎10-11-2013

try your initial definition.

klausJohan · ‎10-11-2013

Thanks. I'm still getting an error back . This time is "Error in 'SearchParser': The definition of macro 'GET_IP' is expected to be an eval expression that returns a string"

alacercogitatus · ‎10-11-2013

try this url: http://your_splunk:8000/en-US/debug/refresh/?entity=admin/macros and then try your search again.

klausJohan · ‎10-11-2013

The "backtip " opened my eyes about how to properly use a macro in a search. Now I obtain an error : Error in 'SearchParser': Could not find macro 'GET_IP' that takes 0 arguments. Expecting stanza name 'GET_IP'.

Macro returns no result when applied

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor