How to locate and edit an existing macro search from an app (Splunk App for Unix and Linux)?

leochan — Wed, 09 Dec 2015 21:57:29 GMT

Is there anyway to locate and edit an existing macro search from an App (SA-nix) in this case?

    CPU_Exceeds_Percent_by_Host
        Open in Search Edit
        admin   SA-nix  Global

    CPU_Under_Percent_by_Host
        Open in Search Edit
        admin   SA-nix  Global

    Disk_Used_Exceeds_Perc_by_Host
        Open in Search Edit
        admin   SA-nix  Global

    IO_Utilization_Exceeds_Threshold
        Open in Search Edit
        admin   SA-nix  Global

    IO_Wait_Exceeds_Threshold
        Open in Search Edit
        admin   SA-nix  Global

An example search macro from SA-nix. If I try to append it with function I got an error. Thoughts?

`CPU_Exceeds_Percent_by_Host("`_unix_alert_threshold_CPU_Exceeds_Percent_by_Host`")`

This results in:

Error in 'fields' command: Invalid argument: 'earliest=-30m' 
`CPU_Exceeds_Percent_by_Host("`_unix_alert_threshold_CPU_Exceeds_Percent_by_Host`")` earliest=-30m

Re: How to locate and edit an existing macro search from an app (Splunk App for Unix and Linux)?

renjith_nair — Thu, 10 Dec 2015 04:08:08 GMT

its not advisable to change the objects which are part of an app because when you upgrade the app, all your changes will be overwritten. You can write a different macro and use it in case needed.

However, macros are available on disk

$SPUNK_HOME/etc/apps/SA-nix/default/macros.conf

Copy the default macros to $SPUNK_HOME/etc/apps/SA-nix/local/macros.conf and make changes if you still require

topic How to locate and edit an existing macro search from an app (Splunk App for Unix and Linux)? in All Apps and Add-ons

How to locate and edit an existing macro search from an app (Splunk App for Unix and Linux)?

Re: How to locate and edit an existing macro search from an app (Splunk App for Unix and Linux)?