I am trying to add a new field in my events using eval, but I am getting errors.
My search looks like this:
... | eval newField=`getIpBasedOnMac($mac$)` | chart values(field1) over newField by mac
Any suggestions on how I could create newField
and give it the value that the macro returns?
hi andra_pietraru,
try like this
... | eval newField= getIpBasedOnMac("$mac$") | chart values(field1) over newField by mac
I tried, still get error. Thanks for the suggestion!
The function getIpBasedOnmac
does what and what parameters it can take to return a result, I think we have to look at how we used the function getIpBasedOnMac
getIpBasedOnMac() is not supported by splunk
It is a macro, written by andra_pietraru.
i understand, thanks
You're already on your way using eval to set a new field. However, your macro has to be written in search language terms, it's just string replacement. So whatever you would ordinarily write to get "190.000.000.00" from "00000001" (a lookup?) would have to be the body of the macro.
You can't just run any search string you like in the middle of another search string. To perform that kind of translation you'd have to run a saved search, and use join (icky) or create some sort of lookup.
Either extend your macro or write a new one like this (macro name: setNewField(2)
😞
eval $fieldName$ = `getIpBasedOnMac($mac$)`
Then this:
... | eval newField=`getIpBasedOnMac($mac$)` | chart values(field1) over newField by mac
would change into this:
... | `setNewField(newField,mac)` | chart values(field1) over newField by mac
And how should getIpBasedOnMac macro look like? This is what I have now:
search sourcetype=xmlConfig MAC=$mac$ | eval ip=switch.ipv4address
But I get error: "Error in 'eval' command: The operator at 'sourcetype=xmlConfig macaddress=0000000001' is invalid."
Does $mac$
come from some input, i.e. is it a token, or why did you enclose it in dollar signs?
Otherwise, the dollar signs are needed only in the definition of the macro. If mac
exists as a field, you can just call your macro with the plain field name as its argument.
Also, what does your macro look like?
No, mac is just a field that I want to pass as argument. I tried without the $ sign, but still get the same error.
If I call the macro without the eval, i.e:
sourcetype=xmlConfig findIpBasedOnMac(00000001)
I get ip="190.000.000.00"
The problem is that I want to assign that value as a new field in my events. IS there any way to do that?
Probably 🙂 What does your macro definition look like? It has to be of the form you would usually place after the =
-sign of your eval.
This is the macro:
sourcetype=xmlConfig | rename switch.ipv4address as ip | search MAC=$mac$ | return ip
Your rex probably got corrupted while posting it, you need to post it as code. But still, that looks like the problem. As sowings (and I also) mentioned, your macro definition must be what you would usually put after the =
-sign of your eval. A macro is basically text replacement.
Actually, I just realized that I do not even need that rex to retrieve the ip field.
Anyway, how could I return only the value of the ip field instead of "ip=..." in my macro? Should I use rex for that as well? I am fairly new to Splunk, so I have no idea of what are my possibilities. Thanks!
You should not think of "returning" anything in your macro, only as much as for example if(field=value,1,0)
returns something. What just crossed my mind is that you could run your macro almost as it is, but change it so that it contains an eval expression which gives you the field you want, something like
sourcetype=xmlConfig | search MAC=$mac$ | eval ip=switch.ipv4address
You could then use the field "ip" in the search after the macro.
I understand what you mean, but the problem is that my main search looks at a different sourcetype, which does not have ip as field. So, this will return absolutely no results. What I try to achieve is to add a new field (ip) and then use it to group the mac addresses. I will try to do some more research and come back with a solution.
The eval in your macro will create the field ip 🙂
Won't the eval create the field ip for sourcetype=xmlConfig? So in my main search I look at sourcetype=other and it doesn't find the created ip field.