Which of the following searches show a valid use of a macro? (Choose all that apply.)
Which of the following searches show a valid use of a macro? (Choose all that apply.)
A valid use of a macro involves correctly incorporating the macro syntax in a Splunk search. Option A demonstrates this by utilizing 'makeMyField(oldField)' within a piped search command, assuming makeMyField is a predefined macro which processes oldField. Similarly, option C correctly applies the macro within an eval statement to create a new field. Option B is incorrect due to the malformed if statement, and option D appears incorrect because the macro usage syntax is not valid in that context. Therefore, the searches that show a valid use of a macro are A and C.
B can't be true, it has a malformed if statement. I think it's A & C.
https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Usesearchmacros
Search macros can be any part of a search, such as an eval statement or search term and do not need to be a complete command. Macros inside of quoted values are not expanded.
Correct ans is A
A is Correct
A and C are correct. Anyone saying C is wrong due to quotes is ignoring the fact macro's use ` ` syntax
AC are correct
A, C correct answers
I think the only answer is A based off what I read here: https://community.splunk.com/t5/Knowledge-Management/How-to-pass-field-values-as-macro-arguments/m-p/164018 BD are for sure incorrect (improper use of back ticks (D) and no function following stats command (B)) C however, I think is also wrong because eval evaluates mathematical, string, and boolean expressions.. therefore eval newField='makeMyField(oldField)' would take oldField as a string and not as an argument.
if it was in single quote then it eval would have taken that as string.. but here it is in back tick
which one is the final answer friends, could you pls confirm.
A and C are correct. A obviously, and C works because I just tried it
Only A is correct B is incorrect since the if statement was malformed C is incorrect since the field value must be quoted by double-quotes, not single-quotes D is incorrect obviously
please check in splunk also
I'm I the only one that see there's no "NewField" in the A search and that would likely result in the search not working. For me only C is working in terms of macro's and search. But maybe I'm wrong.
A, C Can't be B because "if" takes 3 arguments.
@kbisht : Why not C or D?
Not Sure what does D do ? I think A & C are correct. | eval n=`tostringnumber(15)` where as the macro is tostring($number$, "hex") , If I understood the option C correctly , this works.
AC are correct
Only A works why are the others being suggested?