Splunk Search

Search Macro Question

Ant1D
Motivator

Hey,

I have the following saved search in my Splunk instance which I saved as a search macro:

sourcetype="log-file-pub" "market data retrieval failed" OR "The request failed with HTTP status 503: Service Unavailable" OR "Error getting market data" OR "The request failed with HTTP status 403: Forbidden"

Is it possible to write a search macro with arguments which allows me to specify the strings (i.e. market data retrieval failed) that Splunk searches for in the above sourcetype?


The only part of the search which remains fixed is: sourcetype="log-file-pub"

The other strings (in between the OR's) change depending on what the user specifies.

1 Solution

hulahoop
Splunk Employee
Splunk Employee

Take a look at this example showing how you can parameterize a search macro:

Example - Combine search macros and transactions

So try defining your macro 'foo(4)' like this:

sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$

And remember to specify your arguments in the Arguments list:

msg1,msg2,msg3,msg4

Then reference the macro like this:

`foo("bar1","bar2","bar3","bar4")`

... or with your specified messages:

`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")`

Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:

sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"

... or pass the quotes when using the macro:

`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")`

View solution in original post

0 Karma

Ant1D
Motivator

Hi gkanapathy, I edited my original question in relation to the things you have asked

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

can you clarify, what exactly is to be parameterized. maybe if you provide two or three examples where the parameter is different. which of parts of the search string are fixed, and which need to change and how?

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Take a look at this example showing how you can parameterize a search macro:

Example - Combine search macros and transactions

So try defining your macro 'foo(4)' like this:

sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$

And remember to specify your arguments in the Arguments list:

msg1,msg2,msg3,msg4

Then reference the macro like this:

`foo("bar1","bar2","bar3","bar4")`

... or with your specified messages:

`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")`

Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:

sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"

... or pass the quotes when using the macro:

`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")`

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Sorry, I misunderstood what you want to do. So if I understand you correctly this time around, the revised answer should work.

0 Karma

Ant1D
Motivator

I tried this. Was unsuccessful. Shouldn't my macro be called foo(4) which is defined as: sourcetype="log-file-pub" $messagearg$ OR $messagearg$ OR $messagearg$ OR $messagerarg ??? This is based on the fact that I want my macro to be able to take 4 arguments being any 4 strings (error getting data etc) that I want to write in the search

0 Karma

bojanz
Communicator

You can build a custom dashboard that includes a form.

See developer documentation at http://www.splunk.com/base/Documentation/latest/Developer/FormIntro for more information on building forms.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...