https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/587696#M103216 <P>i know this is and old post but does it still work in 8.2</P><P>also if someone could give an example of how to fill out the macro. I am also looking for a way to reference a list of IP's but the macro does not seem to work or i am using it incorrectly</P> Fri, 04 Mar 2022 18:14:21 GMT tazzvon 2022-03-04T18:14:21Z https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/546439#M91015 <P>I'm an occasional Splunk Enterprise user so forgive me if this is a noob question or has been answred before:</P><P>We use Qualys to scan our systems daily for vunerabilties. As such, on things like web servers it generates a lot of logs entries as it scans endpoints. At times it might crawl a website for example generating a lot of failed requests as it creates ad-hoc GET requests to try and see what to can return from the site.</P><P>As such, I have a requirment to build queries that exclude log entries with the scanners IP address therein. The thing is this IP (or rather IPs) are growing as we introduce slave nodes to scan our network.</P><P>What I would like to do is the following:</P><UL><LI><FONT color="#008000">have our query creators use a token that is a list of the Qualys scanner IP addresses and use that as an exclusion in their search macros e.g. <FONT color="#993366">index=iis | c_ip NOT ($myglobaltoken)</FONT></FONT></LI></UL><P>&nbsp;The thing is though I want this token defined <FONT color="#993366"><STRONG>globally</STRONG> </FONT>by the admin team so we can update the values in it and thus all queries (in different apps etc.) referencing it are updated thus.&nbsp;</P><P>Is this possible?</P> Thu, 01 Apr 2021 21:11:00 GMT https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/546439#M91015 shocko 2021-04-01T21:11:00Z https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/546460#M91017 <P>One way to do that is with a macro.&nbsp; Define a macro with the list of IP addresses in it.&nbsp; Make sure it is syntactically correct.&nbsp; Share the macro Globally.&nbsp; Then users just need to use the macro in their searches.</P><LI-CODE lang="markup">index=iis | c_ip NOT `myglobaltoken`</LI-CODE> Fri, 02 Apr 2021 00:38:02 GMT https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/546460#M91017 richgalloway 2021-04-02T00:38:02Z https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/547168#M91081 <P>Thanks! Not sure why I didn't think of that!? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 08 Apr 2021 08:57:07 GMT https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/547168#M91081 shocko 2021-04-08T08:57:07Z https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/587696#M103216 <P>i know this is and old post but does it still work in 8.2</P><P>also if someone could give an example of how to fill out the macro. I am also looking for a way to reference a list of IP's but the macro does not seem to work or i am using it incorrectly</P> Fri, 04 Mar 2022 18:14:21 GMT https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/587696#M103216 tazzvon 2022-03-04T18:14:21Z https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/587699#M103217 <P>Yes, it still works in 8.2.</P><P>Please post a new question showing what you've tried and the results from those attempts.&nbsp; Feel free to refer to this question in yours.</P> Fri, 04 Mar 2022 18:54:51 GMT https://community.splunk.com/t5/Getting-Data-In/Global-Tokens-in-Searches/m-p/587699#M103217 richgalloway 2022-03-04T18:54:51Z