How to Create a Search Macro in Splunk

How to Create a Search Macro in Splunk

Hi guys !! Today we have come with a new interesting topic of Splunk that is Search Macro. Search Macro can be defined as a full SPL query or a chunk of a query which can be reused in another query or can be used as single. Search Macro can be any part of a query such as any command, eval functions etc.
There are mainly two types of Search Macro in Splunk. Those are following:
1)  Search Macro Without Argument – Normal SPL query or a chunk of a query.
 2) Search Macro With Argument – You can specify a macro to take argument with it.

Below we have shown how to create Search Macro in Splunk.
Process Step:
LocationSettings » Advanced search » Search macros » New Search Macro

macro1

macro2

macro3

Follow the above mentioned path then you will be able to create a New Search Macro.
Search Macro Without Argument
You can save a full SPL query or a chunk of a query as a form of Search Macro.
Example 1 : Save a full SPL query as a Search Macro

macro4

In the above image we have shown a sample of Search Macro. Follow the Process Step at first.We have given Destination app as search because only for the search app we are creating this Search Macro. You can select your desired app name for which you want to create Search Macro. Give a name to the Search Macro by which name you want to use the Search Macro for future. Here we have given Name as fullmacro. In the Definition you have to write the SPL query. Here we have written a complete SPL query ( index=_internal sourcetype= splunkd_ui_access | stats count by method ) . After that click on Save to save the Search Macro.

macro5

In the search tab you have to write the macro name in between back quote (`) like `fullmacro`. In most of English-Language key board you can find this back quote (`) in same key of tild(~) . Click Enter to view the result.

macro11

You can see the Expanded Search String by clicking Control + Shift + E ( For windows and linux system) . In this way you can see the SPL query which is saved behind the Search Macro .

Example 2 : Save a chunk of a SPL query as a Search Macro

macro19

In the above image we have shown a sample of Search Macro. Follow the Process Step at first.We have given Destination app as search because only for the search app we are creating this Search Macro. You can select your desired app name for which you want to create Search Macro. Give a name to the Search Macro by which name you want to use the Search Macro for future. Here we have given Name as chunkmacro. In the Definition you have to write the SPL query. Here we have written a chunk of a SPL query ( | stats count by method ). After that click on Save to save the Search Macro.

macro8

In the search tab you have to write the macro name in between back quote (`) like `chunkmacro`. In most of English-Language key board you can find this back quote(`) in same key of tild(~) . We have written index=_internal sourcetype=splunkd_ui_access `chunkmacro` .Click Enter to view the result.
Here _internal is the index name and sourcetype name is splunkd_ui_access . Inside the macro we have store a chunk of a SPL query ( | stats count by method ).

macro6

You can see the Expanded Search String by clicking Control + Shift + E ( For windows and linux system) . In this way you can see the SPL query which is saved behind the Search Macro .

Search Macro With Argument
Example 1: Create a Search Macro with single argument

macro9

In the above image we have shown a sample of Search Macro. Follow the Process Step at first.We have given Destination app as search because only for the search app we are creating this Search Macro. You can select your desired app name for which you want to create Search Macro. Give a name to the Search Macro by which name you want to use the Search Macro for future. Here we have given Name as singlemacro(1) . You have to specify the number of arguments , how many arguments you are using into the Definition . Here we have written a SPL query in the Definition ( index=_ internal sourcetype=splunkd_ui_access method=$arg$ | stats count by method ) with an argument called arg . That’s why we have given 1 in the Name. You have to write the argument inside “$” sign. Also you have to write the argument name in Arguments field which you have used in the Definition. Here we have written arg in the Arguments field. After that click on Save to save the Search Macro.

macro10

In the search tab you have to write the macro name in between back quote (`) like `singlemacro(GET)`. You have to write the method field value inside the () for which you want to show the data. This given value will pass through the argument which you have specified inside the Search Macro. In most of English-Language key board you can find this back quote(`) in same key of tild(~) . Here we have given method field value as GET so in the result we are getting the output only for method is equal to GET.

macro11

You can see the Expanded Search String by clicking Control + Shift + E ( For windows and linux system) . In this way you can see the SPL query which is saved behind the Search Macro .

Example 2: Create a Search Macro with double argument

macro12

In the above image we have shown a sample of Search Macro. Follow the Process Step at first.We have given Destination app as search because only for the search app we are creating this Search Macro. You can select your desired app name for which you want to create Search Macro. Give a name to the Search Macro by which name you want to use the Search Macro for future. Here we have given Name as doublemacro(2) . You have to specify the number of arguments , how many arguments you are using into the Definition . Here we have written a SPL query in the Definition ( index=_ internal sourcetype=splunkd_ui_access method=$arg$ status=$var$ | stats count by method,status ) with two arguments called arg and var . That’s why we have given 2 in the Name. Like this way if you are using multiple argument then you have to give the number as per number of arguments used in the Definition . You have to write the arguments inside $ sign. Also you have to write the arguments names in Arguments field which you have used in the Definition. Here we have written arg and var with comma as a separator in the Arguments field. After that click on Save to save the Search Macro.

macro13

In the search tab you have to write the macro name in between back quote (`) like `doublemacro(GET,200)`. You have to now write the method field value and status field value inside the () with comma delimited ,for which you want to show the data. This given values will pass through the arguments which you have specified inside the Search Macro. In most of English-Language key board you can find this back quote(`) in same key of tild(~) . Here we have given method field value as GET and status field value as 200 so in the result we are getting the output only for method is equal to GET and status is equal to 200.

macro14

You can see the Expanded Search String by clicking Control + Shift + E ( For windows and linux system) . In this way you can see the SPL query which is saved behind the Search Macro .

Example 3: Create a Eval Base Search Macro

macro15

In the above image we have shown a sample of Search Macro. Follow the Process Step at first.We have given Destination app as search because only for the search app we are creating this Search Macro. You can select your desired app name for which you want to create Search Macro. Give a name to the Search Macro by which name you want to use the Search Macro for future. Here we have given Name as evalmacro(2) . You have to specify the number of arguments , how many arguments you are using into the Definition . Here we have written a SPL query with eval command in the Definition [| eval New_Field=round(($field$/$var$),3)) ] with two arguments called field and var . That’s why we have given 2 in the Name. Like this way if you are using multiple argument then you have to give the number as per number of arguments used in the Definition . You have to write the write the argument inside $ sign. Also you have to write the arguments names in Arguments field which you have used in the Definition. Here we have written field and var with comma as a separator in the Arguments field. We have given an eval expression in Validate Expression that is isnum($var$) . In the place of var argument it only takes the number . Also given Validation Error Message. It will show if the Validation Expession is false. After that click on Save to save the Search Macro.

macro16

In the search tab you have to write the macro name in between back quote (`) like `evalmacro(status,34)`. In most of English-Language key board you can find this back quote (`) in same key of tild(~). We have written index=_internal sourcetype=splunkd_ui_access `evalmacro(status,34)` .Click Enter to view the result.
Here _internal is the index name and sourcetype name is splunkd_ui_access . Here status is a numerical value field and we are dividing each status field value by 34 . Also we have rounded off upto 3 decimal place and store the value in a new field called New_Field . This New_Field is generating by the Search Macro. By the table command we have taken status and New_Field field and by the dedup command we have removed the duplicate values from the result set.

macro17

In the search tab you have to write the macro name in between back quote (`) like `evalmacro(status,dd)`. In most of English-Language key board you can find this back quote(`) in same key of tild(~). We have written index=_internal sourcetype=splunkd_ui_access `evalmacro(status,dd)` .Click Enter to view the result. Here it is showing an error because dd is not a number . So it is violating the Validation Expression which we have given at time of macro creation . So it will show that Validation Error Message as “You have given wrong input. Please put any numerical value”.

macro18

You can see the Expanded Search String by clicking Control + Shift + E ( For windows and linux system) . In this way you can see the SPL query which is saved behind the Search Macro . This Expanded Search String is for the right query.

Hope this has helped you in achieving the below requirement without fail !!

How to Create a Search Macro in Splunk

 

Happy Splunking !!

 

Advertisements

2 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.