Knowledge Management

Search-macro that takes variable number of arguments

SonnyB
Explorer

(Keywords: varargs macros, dynamically built K=V fields, passing variable number of search-result’s fields’ values to a macro for computation).

How do you build a search-macro that takes a variable number of arguments? I do not know beforehand the exact number of K=V entries that will show up in the events of the search results and I need to pass the values of all such keys to the macro, to do some computation on the vector of values. Thus, I cannot define a macro signature that takes any fixed number of arguments. Can someone shed some light on the subject-matter? Any pointers to an example will be appreciated.

steveyz
Splunk Employee
Splunk Employee

Unfortunately this is not possible. Macros in most languages cannot take a variable number of arguments because the macro expansion is done as a pre-processing step, before there is any knowledge of the data.

vanvan
Path Finder

Old topic, but if someone experiences the same issue ... it will depend a lot on the content of the macro and the overall implementation, but for me the solution was to configure the macro to accept a single argument and in the SPL where I use the macro I enclose the arguments with double quotes.

E.g. I had a macro used in dashboard, the arguments for the macro were taken from a multiselect input field on the dashboard. The input field creates a token $multipleValuesSeparatedByComma$ which I passed to the macro (the user can select one or more items in the field, thus passing one or more arguments to the macro):

 

myMacro($multipleValuesSeparatedByComma$)

 

This didn't work very well in the SPL contained in the macro when the user selected more than one value in the field. I then tried to add double quotes around the token and this SOLVED the problem, i.e.:

 

myMacro("$multipleValuesSeparatedByComma$")

 

Now the users can select single, double or multiple values and the underlying SPL understands it correctly and returns the right results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...