I tried, still get error. Thanks for the suggestion!

The function getIpBasedOnmac does what and what parameters it can take to return a result, I think we have to look at how we used the function getIpBasedOnMac

getIpBasedOnMac() is not supported by splunk

It is a macro, written by andra_pietraru.

i understand, thanks

You can't just run any search string you like in the middle of another search string. To perform that kind of translation you'd have to run a saved search, and use join (icky) or create some sort of lookup.

Either extend your macro or write a new one like this (macro name: setNewField(2)😞

eval $fieldName$ = `getIpBasedOnMac($mac$)`

Then this:
... | eval newField=`getIpBasedOnMac($mac$)` | chart values(field1) over newField by mac

would change into this:
... | `setNewField(newField,mac)` | chart values(field1) over newField by mac

And how should getIpBasedOnMac macro look like? This is what I have now:
search sourcetype=xmlConfig MAC=$mac$ | eval ip=switch.ipv4address

But I get error: "Error in 'eval' command: The operator at 'sourcetype=xmlConfig macaddress=0000000001' is invalid."

No, mac is just a field that I want to pass as argument. I tried without the $ sign, but still get the same error.
If I call the macro without the eval, i.e:
sourcetype=xmlConfig findIpBasedOnMac(00000001)
I get ip="190.000.000.00"

The problem is that I want to assign that value as a new field in my events. IS there any way to do that?

Probably 🙂 What does your macro definition look like? It has to be of the form you would usually place after the =-sign of your eval.

This is the macro:

sourcetype=xmlConfig | rename switch.ipv4address as ip | search MAC=$mac$ | return ip

Your rex probably got corrupted while posting it, you need to post it as code. But still, that looks like the problem. As sowings (and I also) mentioned, your macro definition must be what you would usually put after the =-sign of your eval. A macro is basically text replacement.

Actually, I just realized that I do not even need that rex to retrieve the ip field.

Anyway, how could I return only the value of the ip field instead of "ip=..." in my macro? Should I use rex for that as well? I am fairly new to Splunk, so I have no idea of what are my possibilities. Thanks!

You should not think of "returning" anything in your macro, only as much as for example if(field=value,1,0) returns something. What just crossed my mind is that you could run your macro almost as it is, but change it so that it contains an eval expression which gives you the field you want, something like

sourcetype=xmlConfig | search MAC=$mac$ | eval ip=switch.ipv4address

You could then use the field "ip" in the search after the macro.

I understand what you mean, but the problem is that my main search looks at a different sourcetype, which does not have ip as field. So, this will return absolutely no results. What I try to achieve is to add a new field (ip) and then use it to group the mac addresses. I will try to do some more research and come back with a solution.

The eval in your macro will create the field ip 🙂

Won't the eval create the field ip for sourcetype=xmlConfig? So in my main search I look at sourcetype=other and it doesn't find the created ip field.