Hello,
I would like to define a MACRO that converts hexadecimal field into a binary fields because I often have to perform that kind of operation.
In Advanced search -> Search macros, I have add a new macro BinaryConversion:
eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......
Use eval-based definition is not checked.
In my search I use it like that:
....|eval result=`BinaryConversion(STXT)`
I got the following error message:
Error in 'eval' command: The operator at 'BinaryResult=replace(STXT,"1","0001")' is invalid.
I tried directly to pass a string argument:
eval result=`BinaryConversion("1F")
but I got the same error message.
Regards
Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)'
, the end result after the expansion will be
... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......
and like the error message says, this is a syntax error. Strangely the eval result=eval
is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.
Well the immediate problem is that your macro definition includes the eval command itself, but you're using the macro in a different way. If you think about how Splunk is going to expand out the macro into ... | eval result='BinaryConversion(STXT)'
, the end result after the expansion will be
... | eval result=eval BinaryResult=replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0011") ......
and like the error message says, this is a syntax error. Strangely the eval result=eval
is considered OK - you're creating a field called result and assigning it to the value of the "eval" field. 😃 And then the rest of the command it doesn't know how to interpret.
Hello again,
So now I would like to have my macro that returns a string in order to use it several times in the same Splunk request. With the current diefinition The field BinaryResult is overwritten each time I call my macro
So my macro is :
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") ...
I have checked "eval-based definition"
How can I define in the Macro which value has to be returned ?
replace($HexValue$,"1","0001")| eval BinaryResult = replace(BinaryResult , "2", "0010") | return Binaryresult???
If I use the macro without having defined the value to be returned, I get the following message:
Error in 'SearchParser': The definition of macro 'BinaryConversion(1)' is expected to be an eval expression that returns a string.
Regards
Hello Sideview,
Thanks for your reply. With this correction, my macro is now working fine.
Regards