I've come to find out that one cannot use macros within join statements in dashboards have base searches (driving multiple/all panels in the dashboard).
For example, the following code doesn't work:
<dashboard>
<label>mylabel</label>
<search id="base">
<query>index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | **`mymacro`** | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version] </query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<title>Total Customers</title>
<single>
<search base="base">
<query>| table customer | dedup customer | stats count</query>
</search>
</single>
</panel>
</row>
</dashboard>
but if I take the macro out of the join statement, it will work:
<dashboard>
<label>mylabel</label>
<search id="base">
<query>index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version] </query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<row>
<panel>
<title>Total Customers</title>
<single>
<search base="base">
<query>| table customer | dedup customer | stats count</query>
</search>
</single>
</panel>
</row>
</dashboard>
where the macro mymacro
expands to:
rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId
Has anyone seen this before? Occurs in 6.4.x and 6.5.x - and if so is there a way around it?
Hi,
Have you tried putting your query inside a <![CDATA[]]>
tag?
So like this:
<query>
<![CDATA[index=some_index sourcetype="mysourcetype" earliest=-30d@d
| `mymacro`
| search [search index=customer_index | `mymacro` | table customer | dedup customer]
| stats count by field1 field2 field3
| lookup mylookup customer OUTPUT customer_name as "Customer"
| join customer [ search index=some_index earliest=-30d@d sourcetype="mysourcetype" | rex field=host "(.*)\.(?<StackId>[^\.]+).splunkcloud.com" | eval customer = StackId | rex "(?<core>\w*)\s*(?<version>(\d|\.)*)\s*(?<build>.*)" | fields customer version]]]>
</query>
This should hopefully get around all of the tedious >
and <
issues.
This is hidden away in this Splunk doc: Special Characters in XML Files
After posting this (and editing it for clarity) I believe I've found the culprit, the macro expands to have the characters '<' and '>' which do not work all that well in XML and should instead be coded as
<
>
So the question is: if the macro has characters such as '>' and '<' - they work outside of the join (such as in the base search itself, or in a subsearch of a search command) - but they do NOT work within the join....
Is there a way to have the macro expand in a manner that it will be properly encoded within the XML within the join command?