Splunk Search

Can field values be used as a macro name?

mrain7
New Member

Can be used as a macro name field value?

EX)

index=_internal | table sourcetype | `sourcetype`

I have a 500 type
I want to use each type of each macro.

What should I do?

Tags (4)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

@stu2's link appears to be missing, so here's the short answer: No.

Slightly longer: Macros are evaluated before the search is run, while field values are known during the execution - too late. Macros are evaluated once per search, while field values exist once per row - too many.

Edit: found the link: http://answers.splunk.com/answers/144038/how-can-i-pass-field-value-as-macro-name.html

stu2
Explorer
0 Karma

somesoni2
SplunkTrust
SplunkTrust

What is your requirement for creating these macros? you need different processing for each sourcetype?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...