Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass CSV values to a search via macro?

adamsmith47
Communicator
‎12-21-2021 10:50 AM

We have a foo.csv which will be updated regularly, and we have searches which require some of the data in foo.csv to run properly. I would like to solve this using a macro in the searches, but am having difficulties.

foo.csv

 

field1,field2,field3
bar11,bar21,bar31
bar12,bar22,bar32
bar13,bar23,bar33

 

 

I need "bar11","bar12","bar13" to be inserted to a search, like so:

 

| pivot fooDM barData
    min(blah) AS min_blah
    filter field1 in ("bar11","bar12","bar13")

 

 

So I created a macro which (when run alone in a search) gives a quoted comma separated list, myMacro:

 

[| inputlookup foo.csv 
| strcat "\"" field1 "\"" field1
| stats values(field1) AS field1 
| eval search=mvjoin(field1, ",")
| fields search]

 


The above macro I've attempted both "Use eval-based definition" and not, and place it in search like this:

 

| pivot fooDM barData
    min(blah) AS min_blah
    filter field1 in (`myMacro`)

 

 

I would love any help. Thank you!

 

Labels (3)
Labels
0 Karma
Reply

adamsmith47
Communicator
‎12-21-2021 11:45 AM

I was receiving various parsing errors, depending on changes I was making in attempt to get it to work. Never received results.

I suppose I should try to get the search to work without a macro first..... so, using the lookup to fill data into the "filter" parameter for the pivot. I can do it with dashboard tokens, but, not sure how to do it in SPL alone.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2021 05:11 PM

Making it work without the macro first is a good idea.

After that, keep in mind that a non-eval macro is a simple text substitution.  That means the value of the macro has to make syntactic sense when it replaces the macro invocation.

Consider making the scope of the macro a little larger  It may work better as a complete command (perhaps with arguments) than as an argument to another command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2021 11:40 AM

Please finish the story.  What results do you get with the last query?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...