Splunk® Light

Getting Started Manual

Download manual as PDF

Download topic as PDF

Use search macros in Splunk Light

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term, and do not need to be a complete command. You can also specify whether or not the macro field takes any arguments.

Insert search macros into search strings

To include a search macro in a search string, use the back tick character ( ` ). On most English-language keyboards, this character is located on the same key as the tilde (~). You can also reference a search macro within other search macros using this same syntax. If you have a search macro named mymacro it looks like this when referenced in a search:

sourcetype=access_* | `mymacro`

Macros inside of quoted values are not expanded. In the following example, the search macro bar is not expanded.

"foo`bar`baz"

Search macros that contain generating commands

Generating commands like search, metadata, inputlookup, pivot, and tstats always appear at the start of search strings with a leading pipe character. If the definition of your search macro starts with a generating command, the search macro should be inserted into the start of your search string, with a leading pipe character before it. Do not put a leading pipe character in the definition of search macros that begin with generating commands. Here is an example:

| `mygeneratingmacro`

When search macros take arguments

If your search macro takes arguments, you define those arguments when you insert the macro into the search string. For example, if the search macro argmacro(2) includes two arguments that are integers, you might have insert the macro into your search string like this: `argmacro(120,300)`.

If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you would use: `mymacro("He said \"hello!\"")`.

Your search macro definition can include a validation expression that determines whether the arguments you have entered are valid, and a validation error message that you see when you provide invalid arguments.

Define search macros

Prerequisites

Steps

  1. In the sidebar menu, go to Knowledge > Search macros.
  2. Click New to create a new search macro.
  3. Change the Destination App to the app you want to restrict your search macro to if it has defaulted to the wrong app.
  4. Provide a unique Name for the search macro.
    If your search macro includes an argument, indicate this by appending the number of arguments to the name. For example, if your search macro mymacro includes two arguments, name it mymacro(2).
  5. In Definition, provide the search string that the macro expands to when you reference it in another search.
  6. (Optional) Select Use eval-based definition? to indicate that the Definition value is an eval expression.
  7. (Optional) Provide Arguments as appropriate for your search macro. This is a comma-delimited string of argument names without repeated elements. Argument names may only contain alphanumeric characters (a-Z, A-Z, 0-9), underscores, and dashes.
  8. (Optional) Provide a Validation expression that verifies whether the argument values used to invoke the search macro are acceptable. The validation expression is an eval expression that evaluates to a boolean or a string.
  9. (Optional) Provide a Validation error message if you defined a validation expression. This is the message that returns when the argument values that invoke the search macro fail the validation expression.
  10. Click Save to save your search macro.

Design a search macro definition

The fundamental part of a search macro is its definition, which is the SPL chunk that the macro expands to when you reference it in another search. There are a few things that you should know before you design a search macro definition.

If your search macro definition has variables that must be input by the macro user, put them in the definition as tokens that have dollar signs wrapped around them. For example, $arg1$ could be the first argument in a search macro definition.

Pipe characters and generating commands in macro definitions

When you use generating commands such as search, inputlookup, or tstats in searches, you always put them at the start of the search, with a leading pipe character.

However, if you want your search macro to use a generating command, you should remove the leading pipe character from the macro definition, and instead place it at the start of the search string that you are inserting the search macro into, in front of the search macro reference.

For example, say you have a search macro named mygeneratingmacro that has the following definition:

tstats latest(_time) as latest where index!=filemon by index host source sourcetype

The definition of mygeneratingmacro begins with the generating command tstats. Instead of preceding tstats with a pipe character in the macro definition, you put the pipe character in the search string, ahead of the search macro reference, like this:

| `mygeneratingmacro`

Eval expressions in macro definitions

To create macro definitions that are eval command expressions, select Use eval-based expression?. This setting specifies that the search macro definition is an eval expression that returns a string. This string is what the macro ultimately expands to.

Validate search macro arguments

When you define a search macro that includes arguments that must be entered by the user, you can define a Validation expression that determines whether the arguments supplied by the user are valid or not. You can also define a Validation error message that displays when search macro arguments fail validation.

The validation expression must be an eval expression that evaluates to a boolean or a string. If the validation expression is boolean, validation succeeds when the validation expression returns "true". If it returns "false" or is null, validation fails.

If the validation expression is not boolean, validation succeeds when the validation expression returns null. If it returns a string, validation fails.

PREVIOUS
Use lookups in Splunk Light
  NEXT
Check search and scheduler activity in Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters