Dashboard base search cannot use macros

pgreer_splunk · ‎01-26-2017

I've come to find out that one cannot use macros within join statements in dashboards have base searches (driving multiple/all panels in the dashboard).

For example, the following code doesn't work:

<dashboard>
  <label>mylabel</label>
  <search id="base">
    <query>index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | **`mymacro`** | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]     </query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <title>Total Customers</title>
      <single>
        <search base="base">
          <query>| table customer | dedup customer | stats count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

but if I take the macro out of the join statement, it will work:

<dashboard>
  <label>mylabel</label>
  <search id="base">
    <query>index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]     </query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <row>
    <panel>
      <title>Total Customers</title>
      <single>
        <search base="base">
          <query>| table customer | dedup customer | stats count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

where the macro mymacro expands to:

rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId

Has anyone seen this before? Occurs in 6.4.x and 6.5.x - and if so is there a way around it?

gvmorley · ‎02-10-2017

Hi,

Have you tried putting your query inside a <![CDATA[]]> tag?

So like this:

<query>
    <![CDATA[index=some_index sourcetype="mysourcetype" earliest=-30d@d
    | `mymacro`
    | search [search index=customer_index | `mymacro` | table customer | dedup customer]
    | stats count by field1 field2 field3
    | lookup mylookup customer OUTPUT customer_name as "Customer"
    | join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]]]>
</query>

This should hopefully get around all of the tedious > and < issues.

This is hidden away in this Splunk doc: Special Characters in XML Files

pgreer_splunk · ‎01-26-2017

After posting this (and editing it for clarity) I believe I've found the culprit, the macro expands to have the characters '<' and '>' which do not work all that well in XML and should instead be coded as

&lt;

&gt;

So the question is: if the macro has characters such as '>' and '<' - they work outside of the join (such as in the base search itself, or in a subsearch of a search command) - but they do NOT work within the join....

Is there a way to have the macro expand in a manner that it will be properly encoded within the XML within the join command?

Dashboard base search cannot use macros

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!