- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- compute the macro name to be used in a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Is it possible to calculate the name of a macro to be used in a search from a token value?
I have a drop down list of system names that I have corresponding macros for.
eg
key = ABC - macro = ABC_hosts
key = DEF - macro = DEF_hosts
key = GHI - macro = GHI_hosts
When a user selects an item from the list I want to use the token in my search to compute which macro to use. Is there a way to compute the macro name in the search?
$system$_host
if the user selected ABC I would like the search to have the following calculated using the token
index="_main" ABC_hosts
Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys I got it working using the following code:
it basically puts the macros with thei name and code in a table and returns one column as the name and the the search string column as the field value.
Thanks for the help
| eval sysName = substr(title, 1, len(title)-6)
| Table sysName, title, definition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys I got it working using the following code:
it basically puts the macros with thei name and code in a table and returns one column as the name and the the search string column as the field value.
Thanks for the help
| eval sysName = substr(title, 1, len(title)-6)
| Table sysName, title, definition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, in theory tokens are replaced in a dashboard before the search runs, so this should work as long as ABC_hosts uses the proper format of a macro
`ABC_hosts`
so, just try it and see if it works for you 😉
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mas for the response, I guess my problem is how to I turn the value to my token into a macro.
I'm not sure of the syntax, how do I add the value of the token and _hosts and have splunk treat it as a macro?
so it my token value is ABC I want to add _host to it an pop some quotes around it so it becomes 'ABC_hosts'
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Melstrathdee there would be multiple ways to do this
1) Code <change> event handler for dropdown to set for macro to be replaced in search query
2) Code <change> event handler for dropdown to set complete search query with macro replaced selected value.
3) Modify SPL to have macro call and actual macro value to be replaced with value selected in dropdown. (As pointed out my @MuS)
You should be able to find examples of each on Splunk answers.
If you can give sample SPL to be invoked for couple of dropdown values selected we would be able to assist you with specific option you want to implement.
| makeresults | eval message= "Happy Splunking!!!"
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
