Splunk® Enterprise

Admin Manual

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

macros.conf

The following are the spec and example files for macros.conf.

macros.conf.spec

# Version 8.0.9
#
# This file contains possible attribute/value pairs for search language macros.
#
# There is a macros.conf file in $SPLUNK_HOME/etc/system/default/. To
# set custom configurations, place a macros.conf in
# $SPLUNK_HOME/etc/system/local/. For examples, see macros.conf.example. 
# You must restart Splunk software to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[<STANZA_NAME>]

* Each stanza represents a search macro that can be referenced in any search.
* The stanza name is the name of the macro if the macro takes no arguments.
  Otherwise, the stanza name is the macro name appended with "(<numargs>)",
  where <numargs> is the number of arguments that this macro takes.
* Macros can be overloaded, which means they can have the same name but a
  different number of arguments. If you have [foobar], [foobar(1)],
  [foobar(2)], etc., they are not the same macro.
* Macros can be used in the search language by enclosing the macro name and any
  argument list within tick marks. For example:`foobar(arg1,arg2)` or `footer`.
* Splunk software does not expand macros when they are inside quoted values (for
  example: "foo`bar`baz".)

args = <string>,<string>,...
* A comma-separated string of argument names.
* Argument names can only contain alphanumeric characters, underscores '_', and
  hyphens '-'.
* If the stanza name indicates that this macro takes no arguments, this
  setting is ignored.
* This list cannot contain any repeated elements.

definition = <string>
* The string that the macro will expand to, with the argument substitutions
  made. (The exception is when iseval = true, see below.)
* Arguments to be substituted must be wrapped by dollar signs ($). For example:
  "the last part of this string will be replaced by the value of argument foo $foo$".
* Splunk software replaces the $<arg>$ pattern globally in the string, even 
  inside of quotes.

validation = <string>
* A validation string that is an 'eval' expression.  This expression must
  evaluate to a boolean or a string.
* Use this setting to verify that the macro's argument values are acceptable.
* If the validation expression is boolean, validation succeeds when it returns
  true. If it returns false or is NULL, validation fails and Splunk software
  returns the error message defined by the 'errormsg' setting.
* If the validation expression is not boolean, Splunk software expects it to 
  return a string or NULL. If it returns NULL, validation is considered a success.
  Otherwise, the string returned is the error string.

errormsg = <string>
* The error message to be displayed if validation is a boolean expression and
  it does not evaluate to true.

iseval = true|false
* If "true", the definition attribute is expected to be an eval expression that
  returns a string representing the expansion of this macro.
* Default: false.

description = <string>
* OPTIONAL. A simple english description of what the macro does.

macros.conf.example

#   Version 8.0.9
#
# Example macros.conf
#

# macro foobar that takes no arguments can be invoked via `foobar`
[foobar]
# the defintion of a macro can invoke another macro.  nesting can be indefinite
# and cycles will be detected and result in an error
definition = `foobar(foo=defaultfoo)`


# macro foobar that takes one argument, invoked via `foobar(someval)`
[foobar(1)]
args = foo
# note this is definition will include the leading and trailing quotes, i.e.
# something `foobar(someval)`
# would expand to
# something "foo = someval"
definition = "foo = $foo$"

# macro that takes two arguments
# note that macro arguments can be named so this particular macro could be
# invoked equivalently as `foobar(1,2)` `foobar(foo=1,bar=2)` or
# `foobar(bar=2,foo=1)`
[foobar(2)]
args = foo, bar
definition = "foo = $foo$, bar = $bar$"

# macro that takes one argument that does validation
[foovalid(1)]
args = foo
definition = "foovalid = $foo$"
# the validation eval function takes any even number of arguments (>=2) where
# the first argument is a boolean expression, the 2nd a string, the third
# boolean, 4th a string, etc etc etc
validation = validate(foo>15,"foo must be greater than 15",foo<=100,"foo must be <= 100")

# macro showing simple boolean validation, where if foo > bar is not true,
# errormsg is displayed
[foovalid(2)]
args = foo, bar
definition = "foo = $foo$ and bar = $bar$"
validation = foo > bar
errormsg = foo must be greater than bar

# example of an eval-based definition.  For example in this case
# `fooeval(10,20)` would get replaced by 10 + 20
[fooeval(2)]
args = foo, bar
definition = if (bar > 0, "$foo$ + $bar$", "$foo$ - $bar$")
iseval = true

Last modified on 06 April, 2021
literals.conf   messages.conf

This documentation applies to the following versions of Splunk® Enterprise: 8.0.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters