Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using field values as paramaters for macros bis

guilhem
Contributor
‎03-06-2013 09:17 AM

Hi!

I have the need to write a "macro" that takes field values as parameters. I have understood from this thread that it is not possible using a simple macro as macro doesn't pass value, but rather only the string given as parameter.

I think it is possible to use a custom search command but it's looks like a bit over-thinking it. Is there any other method? (even a hacky solution would be enough).

Here is the sketch of the search I want to run:

index=_myindex
| join [search=myindex | "some complicated search" | eval myfield="some complicated eval"]
| my_macro(myfield)

The content of the "myfield" field is a string (there is no function inside like "now()" or the like). Basically myfield=(s=XXX OR s=YYY OR s=ZZZ)

Many thanks!

0 Karma
Reply

guilhem
Contributor
‎03-07-2013 08:02 AM

One may note that this can be achieved by a smart join after the first one (or by a where clause inside the join), but I do not want to do it like this, as the eval myEval is almost free (time wise), and adding more search argument inside the join performs way better (tested and the result are found 2* faster) than the join or where method.

Thanks for your help

0 Karma
Reply

guilhem
Contributor
‎03-07-2013 08:02 AM

I have still to figure how to do it, but I have done some research and the main problem comes from the fact that the result of a field cannot be used as a parameter inside a search.

for example I have this:

index=test action
| join [some search | eval myEval="some search result"]
| join action [search index=test action myEval]

I want to be able to replace the myEval key by it's value, but I still didn't found a way to do it.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-06-2013 10:22 AM

You could try using the map command on a set of the values of "myfield".

index=myindex | join [ index=myindex | some_search | eval yourfield="eval"]|stats count by yourfield|map [| 'my_macro($yourfield$)']

0 Karma
Reply

guilhem
Contributor
‎03-07-2013 12:58 AM

Thanks for the answer,

but when I try this I get a:
"The job appears to have expired or has been canceled. Splunk could not retrieve data for this search."

Or if I use eventstats instead of stats, I get a:

"[EventsViewer module] Cannot access search data; job 1362647009.7159 is a zombie and is no longer with us"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...