Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Macro Question

Ant1D
Motivator
‎09-02-2010 08:45 AM

Hey,

I have the following saved search in my Splunk instance which I saved as a search macro:

sourcetype="log-file-pub" "market data retrieval failed" OR "The request failed with HTTP status 503: Service Unavailable" OR "Error getting market data" OR "The request failed with HTTP status 403: Forbidden"

Is it possible to write a search macro with arguments which allows me to specify the strings (i.e. market data retrieval failed) that Splunk searches for in the above sourcetype?

The only part of the search which remains fixed is: sourcetype="log-file-pub"

The other strings (in between the OR's) change depending on what the user specifies.

Reply
1 Solution
Solved! Jump to solution
Solution

hulahoop
Splunk Employee
Splunk Employee
‎09-02-2010 04:12 PM

Take a look at this example showing how you can parameterize a search macro:

Example - Combine search macros and transactions

So try defining your macro 'foo(4)' like this:

sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$

And remember to specify your arguments in the Arguments list:

msg1,msg2,msg3,msg4

Then reference the macro like this:

`foo("bar1","bar2","bar3","bar4")`

... or with your specified messages:

`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")`

Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:

sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"

... or pass the quotes when using the macro:

`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")`

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎09-15-2010 02:50 PM

Hi gkanapathy, I edited my original question in relation to the things you have asked

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-02-2010 04:36 PM

can you clarify, what exactly is to be parameterized. maybe if you provide two or three examples where the parameter is different. which of parts of the search string are fixed, and which need to change and how?

0 Karma
Reply
Solved! Jump to solution
Solution

hulahoop
Splunk Employee
Splunk Employee
‎09-02-2010 04:12 PM

Take a look at this example showing how you can parameterize a search macro:

Example - Combine search macros and transactions

So try defining your macro 'foo(4)' like this:

sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$

And remember to specify your arguments in the Arguments list:

msg1,msg2,msg3,msg4

Then reference the macro like this:

`foo("bar1","bar2","bar3","bar4")`

... or with your specified messages:

`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")`

Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:

sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"

... or pass the quotes when using the macro:

`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")`

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎09-04-2010 01:33 AM

Sorry, I misunderstood what you want to do. So if I understand you correctly this time around, the revised answer should work.

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎09-03-2010 09:04 AM

I tried this. Was unsuccessful. Shouldn't my macro be called foo(4) which is defined as: sourcetype="log-file-pub" $messagearg$ OR $messagearg$ OR $messagearg$ OR $messagerarg ??? This is based on the fact that I want my macro to be able to take 4 arguments being any 4 strings (error getting data etc) that I want to write in the search

0 Karma
Reply
Solved! Jump to solution

bojanz
Communicator
‎09-02-2010 10:21 AM

You can build a custom dashboard that includes a form.

See developer documentation at http://www.splunk.com/base/Documentation/latest/Developer/FormIntro for more information on building forms.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...