Splunk Core Certified Power User — Question 189

Which of the following searches show a valid use of a macro? (Choose all that apply.)

Answer options

• A. index=main source=mySource oldField=* |'makeMyField(oldField)'| table _time newField
• B. index=main source=mySource oldField=* | stats if('makeMyField(oldField)') | table _time newField
• C. index=main source=mySource oldField=* | eval newField='makeMyField(oldField)'| table _time newField
• D. index=main source=mySource oldField=* | "'newField('makeMyField(oldField)')'" | table _time newField

Correct answer: A, C

Explanation

Options A and C correctly implement a macro by directly invoking 'makeMyField(oldField)' to transform data. Option B incorrectly uses stats with if, which does not properly call a macro, and option D incorrectly attempts to call a macro with additional quotes, leading to a syntax error.