Hello everyone,
I'm stuck since many days trying to understand what is preventing Splunk from passing arguments to the macro within the map section.
I have tried many combinations unsuccessfully and couldn't find matching answers in the forum yet.
Please find below a very simplified example of what I'm trying to achieve.
There is a macro with 2 arguments used to build the earliest value in the form of : -@.
Thank you for your suggestions and inputs
Macro name: x_Test_Macro(2)
-------------------------------------------------------
Arguments: macro_var_01,macro_var_02
Definition:
index=*
earliest=-$macro_var_01$$macro_var_02$@$macro_var_02$
latest=@d
| table _time
Macro sample execution:
------------------------------------
`x_Test_Macro(1,"mon")`
=> Works great and return the expected results
(note: the tick characters don't display on this page but are surrounding the macro, thank you for your understanding)
But with the SPL code I'm trying to execute:
--------------------------------------------------------------
| makeresults
| eval Field1=1
| eval Field2="mon"
| map
[
search `x_Test_Macro($Field1$,$Field2$)`
]
=> It fails on: **Invalid value "-$Field1$$Field2$@$Field2$" for time term 'earliest'**
(note: the tick characters don't display on this page but are surrounding the macro, thank you for your understanding)
Comments:
-----------------
Apparently the $Field1$ and $Field2$ are not replaced by the corresponding values.
I don't understand the underlying cause of the failure.
On the contrary the following SPL works fine:
-----------------------------------------------------------------
| makeresults
| eval Field1=1
| eval Field2="d"
| eval toto="-".Field1.Field2."@".Field2
| map search="search index=* earliest=$toto$ latest=@d | table _time"
=> Works great and return the expected results
↧