Knowledge Management

Is it possible to pass an event field as an argument to a macro?

mnm1987
Explorer

Hello Fellow Splunkers,
This is a question about Macros in Splunk. I was wondering if its even possible to pass field name from Events as arguments to your macro.

For eg: If I have a macro configured to getInfo(info_id,info_time), info_id and info_time would be event fields from an index.
something like index=infologs |getinfo(info_id,info_time)

Thanks.
Mukund

Tags (2)
0 Karma

gokadroid
Motivator

Yes you can. Have a look here as an example which uses revenue field being passed with another rate value which then get multiplied inside the macro.

Example in its simplest terms:

GoTo Settings»  Advanced search » Search macros » Add new

Update in the sections Name, Definition and Argument respectively as multiplyABC(3), eval dd=$a$*$b$*$c$, a,b,c
Call it as follows:

`multiplyABC(field1,field2,field3)`
0 Karma

mnm1987
Explorer

gokadroid - Thanks for the response, I understand that the above steps are handy when creating a macro with Arguments.

But my requirement was to be able to specify or call the macro in the following way
index="blah" |multiplyABC(field1,field2,field3)
where field1,field2 and field3 are not explicitly hardcoded values, instead they are Fields in the events found for index="blah".

Based on my observation, passing event fields get treated literally instead of interpreting their values, i.e.
the expanded macro search would look as follows

eval dd=field1*field2*field3

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...