All Apps and Add-ons

Constant strings

dreadangel
Path Finder

Hi,

I'm using dbdata (https://splunkbase.splunk.com/app/4253/) application in order to access my REST endpoint to collect events to splunk.
Here is a sample:

| dbdata url="[Endpoint url]?param1=value1&param2=value2" headers="[headers data]"

So as far I have several searches, is it possible in splunk to consfigure parametrized constants for url and headers params, so I could reuse them in those searches - kind of searches global config:

| dbdata url=URL_CONSTANT."?param1=value1&param2=value2" headers=HEADER_CONSTANT

Any thoughts?

0 Karma
1 Solution

woodcock
Esteemed Legend

Yes, first create macros called URL_CONSTANT and HEADER_CONSTANT that have your strings, then use it like this:

| makereuslts
| eval url = `URL_CONSTANT` . "?param1=value1&param2=value2", headers=`HEADER_CONSTANT`
| map search="| dbdata url=$url$ headers=headers"

View solution in original post

woodcock
Esteemed Legend

Yes, first create macros called URL_CONSTANT and HEADER_CONSTANT that have your strings, then use it like this:

| makereuslts
| eval url = `URL_CONSTANT` . "?param1=value1&param2=value2", headers=`HEADER_CONSTANT`
| map search="| dbdata url=$url$ headers=headers"

dreadangel
Path Finder

thanks, macros is the solution here -

Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...