Hello & merry xmas to all,
I would like to create a macro-expansion using searchmatch (eval-command) such that the argument to searchmatch is expanded from an argument. Here is an example:
[macro1(1)]
definition = | eval YN=if(searchmatch($arg1$),"Y","N")
...
so from Splunk, I might use the macro like this:
... | eval foo="bar&baz&alpha" | eval foo=replace(foo,"&"," AND ") `macro1(foo)`
note, the illustration of foo="bar&baz&alpha" is just an example; in my real usage, the value of foo is retreived from a lookup-table, therefore the number of '&' contained within varies
the error I get is as follows:
Error in 'eval' command: The arguments to the 'searchmatch' function are invalid.
Can this be done?