https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71813#M17941 <P>In the past, I have achieved this functionality using <A href="http://www.splunk.com/base/Documentation/4.2/Admin/Macrosconf" rel="nofollow">macros</A>. Just have your <A href="http://www.splunk.com/base/Documentation/4.2/Developer/SetupExampleCustom" rel="nofollow">Python endpoint</A> write out an entry in macros.conf:</P> <PRE><CODE># Add the definition confMacro = {} confMacro["definition"] = "10" # Write out the conf file self.writeConf("macros", "order_transaction_min_count", confMacro) </CODE></PRE> <P>The resulting macros.conf should look something like (in local/macros.conf):</P> <PRE><CODE>[order_transaction_min_count] definition=10 </CODE></PRE> <P>Then, update your searches to use the macro:</P> <PRE><CODE>search eventtype="Orders" | transaction fields="OrderNumber" | search count&lt;`order_transaction_min_count` </CODE></PRE> <P>Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.</P> Thu, 31 Mar 2011 22:36:30 GMT LukeMurphey 2011-03-31T22:36:30Z https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71812#M17940 <P>I have a setup.xml and a myappsetup.conf all setup properly (lets make that assumption for now, still many bugs to iron out). From within myappsetup.conf, there is a field called <STRONG>order_transaction_min_count</STRONG> and I want to use this field in my searches.</P> <P>For example:</P> <P><CODE>search eventtype="Orders" | transaction fields="OrderNumber" | search count&lt;order_transaction_min_count</CODE></P> <P>Is this correct? Or am I missing something here?</P> Thu, 31 Mar 2011 17:07:56 GMT https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71812#M17940 klee310 2011-03-31T17:07:56Z https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71813#M17941 <P>In the past, I have achieved this functionality using <A href="http://www.splunk.com/base/Documentation/4.2/Admin/Macrosconf" rel="nofollow">macros</A>. Just have your <A href="http://www.splunk.com/base/Documentation/4.2/Developer/SetupExampleCustom" rel="nofollow">Python endpoint</A> write out an entry in macros.conf:</P> <PRE><CODE># Add the definition confMacro = {} confMacro["definition"] = "10" # Write out the conf file self.writeConf("macros", "order_transaction_min_count", confMacro) </CODE></PRE> <P>The resulting macros.conf should look something like (in local/macros.conf):</P> <PRE><CODE>[order_transaction_min_count] definition=10 </CODE></PRE> <P>Then, update your searches to use the macro:</P> <PRE><CODE>search eventtype="Orders" | transaction fields="OrderNumber" | search count&lt;`order_transaction_min_count` </CODE></PRE> <P>Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.</P> Thu, 31 Mar 2011 22:36:30 GMT https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71813#M17941 LukeMurphey 2011-03-31T22:36:30Z https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71814#M17942 <P>thanks LukeMurphey </P> <P>Actually, I have gone with another route. Instead of using macros, I wrote a custom command which reads the the configuration dictionary with: </P> <PRE><CODE>splunk.clilib.cli_common.getConfStanza("myappconfig", "setupentity") </CODE></PRE> <P>and also reading the first argument to my command using: </P> <PRE><CODE>sys.argv[1] </CODE></PRE> <P>I was able to extract the information i needed and perform the custom search within the script. so now, my final search command would look something like this:</P> <PRE><CODE>search eventtype="Orders" | transaction fields="OrderNumber" | mycustomcommand order_transaction_min_count </CODE></PRE> <P>Thanks for your reply anyways.</P> Fri, 01 Apr 2011 11:33:24 GMT https://community.splunk.com/t5/Splunk-Search/search-with-value-from-setup-xml/m-p/71814#M17942 klee310 2011-04-01T11:33:24Z