Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit Macro from a search dashboard checklist?

kamrankayani
New Member
‎04-24-2019 01:58 AM

Hi all,

My aim is to have a checklist in a dashboard and according to what is selected, the content or description of a specific Macro is amended.

For example.

Checklist1

Tom ✔
Jerry
Peter ✔
Pan

Macro1 = "Tom, Peter"

Is there a way in doing this?

Thanks in advance!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-24-2019 05:47 AM

Hi @knielsen,

You need to do rest call (/servicesNS/admin//configs/conf-macros/) to macro conf file to update macro definition. The following two ways you can try.

With Python
- Write custom command (commands.conf, bin/python-file)
- Use splunk.rest.SimpleRequest to call on /servicesNS/admin//configs/conf-macros/ with POST method to update value - Reference
- Call custom command from a search and pass the selected values as argument to custom command.

With Javascript
Call given rest call (/servicesNS/admin//configs/conf-macros/) from javascript as well. Reference

0 Karma
Reply

knielsen
Contributor
‎04-24-2019 02:19 AM

Well, you can't use "," as part of a macro name. So if you want to use a delimiter, "_" would be my choice, eg something like

  <fieldset submitButton="false">
    <input type="checkbox" token="Macro1">
      <label>field1</label>
      <choice value="Tom">Tom</choice>
      <choice value="Jerry">Jerry</choice>
      <choice value="Peter">Peter</choice>
      <choice value="Pan">Pan</choice>
      <delimiter>_</delimiter>
    </input>
  </fieldset>

You can then simply use it in your query like

<query>index=foo ... | `$Macro1$` ... </query>

So "Tom, Peter" won't work, but "Tom_Peter" does.

0 Karma
Reply

kamrankayani
New Member
‎04-24-2019 02:47 AM

Hey Knielsen,

Thank you for your prompt reply..
This is a bit different to what I am trying to achieve. Reason I am using Macros rather than Token, is because the parameter it stores I would like to use it against several dashboards instead of just the one local dashboard.
The Macro I would like to amend is stored in Settings > Advanced Search > Macros

Thanks again.

0 Karma
Reply

knielsen
Contributor
‎04-24-2019 04:21 AM

Yeah, I misunderstood I guess.

You want to change existing macros? It is possible (but not easy) to use the REST API for that, but there is no direct way of doing that without some external scripting AFAIK.

Search for topics on REST API and macros for a start, or wait for someone who can give better advise. I just played around with it for a little, but that's really nothing I can help directly with.

0 Karma
Reply

kamrankayani
New Member
‎04-24-2019 04:25 AM

No worries, thanks for your help again!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...