Re: how to make a reusable macro which replaces fi...

SimonKof · ‎03-14-2018

I have a splunk dashboard which shows metrices for an API.

The dashboard have a graph showing response times and a table showing min, max, average of response times. They both include the following eval in the search to group endpoints with ids in the url.

eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")

This way the calls to /user/12345/address and /user/98765/address will be grouped as /user/{id}/address.

How do I create a macro that I can use to extract this functionality so it can be used in several dashboard panel searches? For example:

index=api
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address") 
| timechart span=1h count by endpoint

and

index=api 
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")  
| stats Count, min(executiontime), max(executiontime), avg(executiontime), stdev(executiontime) by endpoint 
| sort - count 
| head 20

I would like it to have a macro called group_endpoints so I can simplify the above to something similar to:

index=api
| group_endpoints(endpoints)
| timechart span=1h count by endpoint

niketn · ‎03-14-2018

@SimonKof, is this question different from https://answers.splunk.com/answers/626482/extracting-eval-for-reuse-in-other-searches.html?

If you can use Calculated Fields to make the above eval reusable, will you still need a macro to do something similar?

If Calculated Fields solves your need let us know and this question can be closed as duplicate.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

how to make a reusable macro which replaces field text

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!