Splunk Search

How to build a search macro for multiple client run times?

fisuser1
Contributor

Looking to build a macro on an ugly search for some of our clients. Multiple clients use this same search, therefore I want to build the macro to implement to each of those clients. I will be searching against a field name of Client to define the individual timings and have had no luck building this macro that produces any results. Is this possible?

sourcetype=PROFILE_DAYEND_STATS $Client$ UPROC = "*" Session!= 1800DAMR Session!= 1800DBKA Session!= 1800DBKB Session!= 1800DBRF Session!= 1800DBRH Session!= 1800DBRN Session!= 1800DD1S Session!= 1800DDBA Session!= 1800DUKL Session!= 1800DVBU Session!= 1800DWEB Session!= 1800DYES Session!= 1800DZES Session!= 1800XREPCHKR Session!= 2400DAMR Session!= 2400DBKA Session!= 2400DBKB Session!= 2400DDBA Session!= 2400DREX Session!= 2400DRTNA Session!= 2400DRTNP Session!= 2400DUKL Session!= 2400DVBU Session!= 2400DWEB Session!= 2400DYES Session!= 2400DZES Session!= 2700DAMR Session!= 2700DBKA Session!= 2700DBKB Session!= 2700DDBA Session!= 2700DREORG Session!= 2700DREX Session!= 2700DRTNA Session!= 2700DRTNP Session!= 2700DUKL Session!= 2700DVBU Session!= 2700DWEB Session!= 2700DYES Session!= 3500DAMR Session!= 3500DBKA Session!= 3500DBKB Session!= 3500DDBA Session!= 3500DREORG Session!= 3500DREX Session!= 3500DRTNA Session!= 3500DRTNP Session!= 3500DVBU Session!= 3500DWEB Session!= 3500DYES Session!= 4500DAMR Session!= 4500DBKA Session!= 4500DBKB Session!= 4500DREORG Session!= 4500DREX Session!= 4500DUKL Session!= 4500DVBU Session!= 4500DYES Session!= 5200DAMR Session!= 5200DBKA Session!= 5200DBKB Session!= 5200DBRF Session!= 5200DBRH Session!= 5200DBRN Session!= 5200DRTNA Session!= 5200DDBA Session!= 5200DREORG Session!= 5200DREX Session!= 5200DRTNA Session!= 5200DRTNP Session!= 5200DUKL Session!= 5200DVBU Session!= 5200DWEB Session!= 5200DYES Session!= 5200DZES Session!= 5600DAMR Session!= 5600DBKA Session!= 5600DBKB Session!= 5600DD1S Session!= 5600DDBA Session!= 6473DRTNA Session!= 5600DREX Session!= 5600DRTNA Session!= 5600DRTNP Session!= 5600DVBU Session!= 5600DYES Session!= 5600DZES Session!= 5600XREPCHKR Session!= 5600DRRH Session!= 5600DRRF Session!= 5600DRRN Session!= 5995DAMR Session!= 5995DBKA Session!= 5995DBKB Session!= 5995DD1S Session!= 5995DDBA Session!= 5995DREORG Session!= 5995DREX Session!= 5995DRTNA Session!= 5995DRTNP Session!= 5995DVBU Session!= 5995DWEB Session!= 5995DYES Session!= 5995DZES Session!= 6473DAMR Session!= 6473DBKA Session!= 6473DBKB Session!= 6473DBRF Session!= 6473DBRH Session!= 6473DBRN Session!= 6473DD1S Session!= 6473DDBA Session!= 6473DMRF Session!= 6473DREORG Session!= 6473DREX Session!= 6473DRTNP Session!= 6473DUKL Session!= 6473DVBU Session!= 6473DWEB Session!= 6473DYES Session!= 6473DZES Session!= 6473XREPCHKR Session!= 6606DAMR Session!= 6606DARF Session!= 6606DARN Session!= 6606DBKA Session!= 6606DBKB Session!= 6606DBRH Session!= 6606DBRN Session!= 6606DD1S Session!= 6606DDBA Session!= 6606DDRM Session!= 6606DHPG Session!= 6606DREORG Session!= 6606DREX Session!= 6606DROD Session!= 6606DUKL Session!= 6606DVBU Session!= 6606DWEB Session!= 6606DYES Session!= 6606DZES Session!= 6606DRRH Session!= 6606DRRF Session!= 6606DRRN Session!= 7700DAMR Session!= 7700DBKA Session!= 7700DBKB Session!= 7700DD1S Session!= 7700DDBA Session!= 7700DREORG Session!= 7700DREX Session!= 7700DRTNA Session!= 7700DRTNP Session!= 7700DUKL Session!= 7700DVBU Session!= 7700DWEB Session!= 7700DYES Session!= 7700DZES Session!= 7700MYES Session!= 8109BYES Session!= 8109DAMR Session!= 8109DBKA Session!= 8109DBKB Session!= 8109DBRF Session!= 8109DBRN Session!= 8109DD1S Session!= 8109DDBA Session!= 8109DMRF Session!= 8109DMRN Session!= 8109DREORG Session!= 8109DREX Session!= 8109DRTNA Session!= 8109DRTNP Session!= 8109DUKL Session!= 8109DVBU Session!= 8109DWEB Session!= 8109DYES Session!= 8109DZES Session!= 8109MDRF Session!= 8109XREPCHKR Session!= F_8200DAMR Session!= 8200DBKA Session!= 8200DBKB Session!= 8200DBRF Session!= 8200DBRH Session!= 8200DBRN Session!= 8200DD1S Session!= 8200DDBA Session!= 8200DTXT Session!= 8200DUKL Session!= 8200DVBU Session!= 8200DWEB Session!= 8200DYES Session!= 8200WZES Session!= 8200DRRH Session!= 8200DRRF Session!= 8200DRRN Session!= 8200DVBU Session!= 8200DREORG Session!= 8200DDBA Session!= 8200DBRH Session!= 8200DYES Session!= 8200WZES Session!= M_8200RFSH Session!= 8200DWEB Session!= XMON* Session!= IU* Session!= 9100DAMR Session!= 9100DBKA Session!= 9100DBKB Session!= 9100DBRF Session!= 9100DBRH Session!= 9100DBRN Session!= 9100DD1S Session!= 9100DDBA Session!= 9100DREORG Session!= 9100DREX Session!= 9100DRTNA Session!= 9100DRTNP Session!= 9100DUKL Session!= 9100DVBU Session!= 9100DWEB Session!= 9100DYES Session!= 9100DZES Session!= 9100XREPCHKR Session!= 8200DTES Session!= 5200DD1S | eval Start=strftime(StartTime/1000,"%H:%M:%S %p") | eval End=strftime(EndTime/1000,"%H:%M:%S %p")| eval seconds=(EndTime-StartTime)/1000 | eval mins=(seconds/60) | table ClientName, StartDate, Start, End, Session, UPROC, mins, seconds| sort - seconds| head 40
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

FIRST, A search will often return no results if any of the fields in the query do not exist - in this case, StartDate, StartTime, EndTime, and ClientName are the ones to check. If you're not sure what's happening, then replace the first "| eval" with "| head 5" and look at the first 5 records returned by your macro search.

I suspect that you'll want to add a clause that says

| eval ClientName = $Client$

and it will work fine.

SECOND, you are searching for any record that has the parameter value $Client$ anywhere in the record, rather than for records that have their ClientName field set to equal the parameter value $Client$. If the field ClientName DOES exist, then adjust your search code accordingly.

THIRD - You have over 200 values that you want the session NOT to be. If this search is being run repeatedly, you might want to define a data model, specifically you might just create/define an index field in the database, perhaps called SessionIgnore, which is set to 1 for all the events with Session values in the above list, and which is set to 0 for all the events with sessions NOT in the above list. then you just search for SessionIgnore=0 instead of all those individual tests.

0 Karma

sundareshr
Legend

Why not create a datamodel instead?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...