Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using field values as paramaters for macros bis

guilhem
Contributor
‎03-06-2013 09:17 AM

Hi!

I have the need to write a "macro" that takes field values as parameters. I have understood from this thread that it is not possible using a simple macro as macro doesn't pass value, but rather only the string given as parameter.

I think it is possible to use a custom search command but it's looks like a bit over-thinking it. Is there any other method? (even a hacky solution would be enough).

Here is the sketch of the search I want to run:

index=_myindex
| join [search=myindex | "some complicated search" | eval myfield="some complicated eval"]
| my_macro(myfield)

The content of the "myfield" field is a string (there is no function inside like "now()" or the like). Basically myfield=(s=XXX OR s=YYY OR s=ZZZ)

Many thanks!

0 Karma
Reply

guilhem
Contributor
‎03-07-2013 08:02 AM

One may note that this can be achieved by a smart join after the first one (or by a where clause inside the join), but I do not want to do it like this, as the eval myEval is almost free (time wise), and adding more search argument inside the join performs way better (tested and the result are found 2* faster) than the join or where method.

Thanks for your help

0 Karma
Reply

guilhem
Contributor
‎03-07-2013 08:02 AM

I have still to figure how to do it, but I have done some research and the main problem comes from the fact that the result of a field cannot be used as a parameter inside a search.

for example I have this:

index=test action
| join [some search | eval myEval="some search result"]
| join action [search index=test action myEval]

I want to be able to replace the myEval key by it's value, but I still didn't found a way to do it.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-06-2013 10:22 AM

You could try using the map command on a set of the values of "myfield".

index=myindex | join [ index=myindex | some_search | eval yourfield="eval"]|stats count by yourfield|map [| 'my_macro($yourfield$)']

0 Karma
Reply

guilhem
Contributor
‎03-07-2013 12:58 AM

Thanks for the answer,

but when I try this I get a:
"The job appears to have expired or has been canceled. Splunk could not retrieve data for this search."

Or if I use eventstats instead of stats, I get a:

"[EventsViewer module] Cannot access search data; job 1362647009.7159 is a zombie and is no longer with us"

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...