Re: macro with parameter as eval-base definition

eranhauser · ‎01-17-2022

My main query looks like:
...| stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP...
| eval empID=`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`

My macro definition is:
index=my_idx event.eventID=4624 event.Come_From=$ip_address$ latest=$time$ | sort - _time | head 1| table event.Who_Is_It

My questions are:
1. How can I make my macro, my_macro, returns a String which is the value of event.Who_IS_It ?

2. Is the way I assign the macro returned value to param name empID is the right way?

eranhauser · ‎01-18-2022

The query works great if I pass to the macro values and not params:
trim(`my_macro("8.8.8.8", 1642031990)`) but once try to use params I get the errors

ITWhisperer · ‎01-18-2022

How are you passing the parameters?

eranhauser · ‎01-18-2022

eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)

eranhauser · ‎01-18-2022

My query looks like:
... | stats min(_time) AS SESSION_START_TIME max(Source_Network_Address) AS EMP_SRC_IP ... | eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME$)`)

eranhauser · ‎01-18-2022

I found the issue: The macro should be a little different:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\"" | table search]

The problem now is that I get error passing parameters.

| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)

Invalid value "$SESSION_START_TIME$" for time term 'latest'

Any idea what is wrong?

ITWhisperer · ‎01-18-2022

You don't need $ around the field names you are passing into the macro

| eval empID=trim(`my_macro(EMP_SRC_IP, SESSION_START_TIME)`)

eranhauser · ‎01-18-2022

After removing the $ I get the following error:
Invalid value "SESSION_START_TIME" for time term 'latest'

eranhauser · ‎01-18-2022

I created the macro as a subsearch as you suggested below:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

and when I call it on Splunk UI :

`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`

I got the results I mentioned above

ITWhisperer · ‎01-18-2022

On the splunk search UI call it like this

| makeresults
| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)

ITWhisperer · ‎01-17-2022

Try setting your macro up like this:

[search index=my_idx event.eventID=4624 event.Come_From=$ip_address$  latest=$time$ 
| sort - _time 
| head 1
| table 'event.Who_Is_It'
| rename "event.Who_Is_It" as query | fields query | format "\"" "" "" "" "" "\""]

You may also need to trim the result

| eval empID=trim(`my_macro($EMP_SRC_IP$, $SESSION_START_TIME $)`)

eranhauser · ‎01-18-2022

Something strange is going on. When I run the query of the macro as you suggested on Splunk UI (as a subsearch) I got zero results back. If I remove the last part of "| rename" I got 11 results back as if it ignore the "| head 1". When I run it NOT as a subsearch I got one result as expected.
What should I do to fix it?

Why is that?

ITWhisperer · ‎01-18-2022

What do you mean "as a subsearch"? Can you share exactly what you have in the search in a code block </>

macro with parameter as eval-base definition

eval

other

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!