Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I populate a macro from search results?

poxx82
Engager
‎11-21-2017 09:28 PM

Hi,

I am trying to take the results of a search that returns 1000 machines and search for them in an index. Not sure what the best way to accomplish this is...

I was attempting to create tokens with 100 machines in each (MACHINE="A" OR MACHINE="B" OR MACHINE="C") and put them in a macro - $token1$ $token2$ $token3$ ... etc. which would result in 1000 machines listed in the format above to search against an index - index="A" (macro). Is there a better way to create a list from a search and drop it into a macro? Right now the limitation I am running into is the amount of characters in a eval field.

Thanks.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2017 01:08 PM

What you are really looking for is a subsearch. Here is a search that generates a list of 100 like you indicated:

| makeresults 
| eval MACHINE=mvrange(1,101)
| rex field=MACHINE mode=sed "s/^/MACHINE/"
| format

Really, though, I would read this list from a lookup and then it would be like this:

| inputlookup YourLookupWithListOfMachinesHere
| format

You could bury this inside of a macro but I really don't see the point. To use one, put it inside of square-brackets to define a subsearch in your main search like this:

index=foo [| inputlookup YourLookupWithListOfMachinesHere]
0 Karma
Reply

DalJeanis
Legend
‎11-24-2017 08:22 PM

In short, NO.

Macros are evaluated first, before any searching happens.

However, what you are asking for is pretty easy, with at least three different ways you can do it.

First, use a subsearch.

1) Create a search that gets you 1000 MACHINES (only that one field, in a table).
2) Put it in brackets
3) The system will execute the subsearch, return a value that looks like ( ( MACHINE="machine1" ) OR ( MACHINE="machine2" ) OR... )
4) you're done.

index=foo  [ your search that gets 1000 records | table MACHINE ]

SECOND METHOD -

1) Create a first search that saves the 1000 values for MACHINE to a lookup table
2) create a second search that uses | lookup mytable MACHINE OUTPUT MACHINE as foundme | where isnotnull(foundme)

THere are lots more.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-22-2017 12:12 AM

HI

You can try it with return command.
like..

index="A" [ search SECOND_SEARCH | return MACHINE]

SECOND_SEARCH is the logic which you want to pass in macro.

Please see return doc for more info.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Return

Reply

hardikJsheth
Motivator
‎11-21-2017 11:00 PM

Macros are not for this purpose. If I understood the requirement correctly you want to search for list of host from one query and then use this list in another query. Good option would be to use JOIN query or append query.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...