I have a complex macro that works in 4.3 (build 115073) but not 5.0.2 (build 149561). here is an example search: `job(7165060)`
in 4.3, the search inspector shows this to be evaluated to: ( ( index=hpc_* earliest=02/26/2013:14:53:24 latest=02/26/2013:14:59:56 (_time>=1361915609 _time<= 1361915991 glory0 NOT (sourcetype=moabstats otype=job NOT jobid=7165060)) OR (sourcetype=moabstats jobid=7165060) OR (sourcetype=slurm Job_id=7165060) OR (sourcetype=joblog JobId=7165060) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd) ) )
but in 5.0:( ( "index=hpc_* earliest=02/26/2013:14:53:24 latest=02/26/2013:14:59:56 (_time>=1361915609 _time<= 1361915991 glory0 NOT (sourcetype=moabstats otype=job NOT jobid=7165060)) OR (sourcetype=moabstats jobid=7165060) OR (sourcetype=slurm Job_id=7165060) OR (sourcetype=joblog JobId=7165060) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd)" ) )
in 4.3, the appropriate events are found and displayed. in 5.0, no events are returned. The difference I note in 5.0 is the double-quotes within the outer (( )). If I cut-n-paste the stuff inside those quotes and use it as a search in 5.0, it works as it should. So my question is, how can I make the macro work in 5.0?
Another hint is that I think the 4.3 build mentioned above is 4.3.1, and I think I also saw this double-quotes issue in 4.3.4, but I am not sure and don't have a build-to-minor_version map.
The macro definition being used is exactly the same in 4.3 and 5.0:
[job(3)]
args = jobid,index,latest
definition = [search index=$index$ sourcetype=moabstats jobid=$jobid$ latest=$latest$ hosts=* NOT hosts=- | head 1 | eval end=if(start==end, now(), _time) | eval slurmStart=start-5 | eval slurmEnd=end+5 | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(slurmStart) | convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(slurmEnd) | makemv delim="," hosts | mvexpand hosts | dedup hosts | mvcombine hosts | eval hostlist=mvjoin(hosts," OR ") | eval query = "index=$index$ earliest=".slurmStart." latest=".slurmEnd." (_time>=" . start . " _time<= " . end . " " . hostlist . " NOT (sourcetype=moabstats otype=job NOT jobid=$jobid$)) OR (sourcetype=moabstats jobid=$jobid$) OR (sourcetype=slurm Job_id=$jobid$) OR (sourcetype=joblog JobId=$jobid$) NOT (host=-sp OR host=-cmm OR kern.info OR kern.warning OR MARK OR syslog-ng OR ntpd)" | fields + query]
errormsg =
iseval = 0
and yes my example above (and common usage) is a single-arg form of the macro, which uses the above 3-arg via:
[job(1)]
args = jobid
definition = job(jobid=$jobid$, index="hpc_*")
errormsg =
iseval = 0
validation =
[job(2)]
args = jobid,index
definition = job(jobid=$jobid$, index=$index$, latest=now())
errormsg =
iseval = 0
validation =
in job(3) replace
| fields + query
with
| return $query
?
turns out that query is an external command was was too slow for my use - i encountered timeouts (which i could bump up). changing the variable name from query to search worked though (the implicit format handles it slightly differently) - no double quotes and WAY faster than return.
It infuriated me too 🙂 been there / done it.
Also - accepting the answer is the normal way to assign rep, you dont have to spend your own
ding - it works! thanks!