Which of the following searches show a valid use of a macro? (Choose all that apply.)
Which of the following searches show a valid use of a macro? (Choose all that apply.)
A valid use of a macro involves correctly incorporating the macro syntax in a Splunk search. Option A demonstrates this by utilizing 'makeMyField(oldField)' within a piped search command, assuming makeMyField is a predefined macro which processes oldField. Similarly, option C correctly applies the macro within an eval statement to create a new field. Option B is incorrect due to the malformed if statement, and option D appears incorrect because the macro usage syntax is not valid in that context. Therefore, the searches that show a valid use of a macro are A and C.
B can't be true, it has a malformed if statement. I think it's A & C.
https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Usesearchmacros
Search macros can be any part of a search, such as an eval statement or search term and do not need to be a complete command. Macros inside of quoted values are not expanded.
A is Correct
Correct ans is A
AC are correct
A and C are correct. Anyone saying C is wrong due to quotes is ignoring the fact macro's use ` ` syntax
A, C Can't be B because "if" takes 3 arguments.
I'm I the only one that see there's no "NewField" in the A search and that would likely result in the search not working. For me only C is working in terms of macro's and search. But maybe I'm wrong.
please check in splunk also
Only A is correct B is incorrect since the if statement was malformed C is incorrect since the field value must be quoted by double-quotes, not single-quotes D is incorrect obviously
A and C are correct. A obviously, and C works because I just tried it
which one is the final answer friends, could you pls confirm.
I think the only answer is A based off what I read here: https://community.splunk.com/t5/Knowledge-Management/How-to-pass-field-values-as-macro-arguments/m-p/164018 BD are for sure incorrect (improper use of back ticks (D) and no function following stats command (B)) C however, I think is also wrong because eval evaluates mathematical, string, and boolean expressions.. therefore eval newField='makeMyField(oldField)' would take oldField as a string and not as an argument.
if it was in single quote then it eval would have taken that as string.. but here it is in back tick
A, C correct answers
Only A works why are the others being suggested?
AC are correct
@kbisht : Why not C or D?
Not Sure what does D do ? I think A & C are correct. | eval n=`tostringnumber(15)` where as the macro is tostring($number$, "hex") , If I understood the option C correctly , this works.