Splunk Dev

Can we write a Python or JS to update macros.conf?

meenal901
Communicator

I have a lookup file which gets updated daily. Based on this, I want to update my macro as well.
e.g.: The Lookup contains fields: Exception, Ticket No, Description
I want to take Exception field, escape-sequence all ( and [, replace \r\n by | and put these values in another macro which i am using on another app.

Can this be done using a Python custom command or JS? The escape sequence and replacing, probably I can do using SPL itself. The script should just update macros.conf.

Another alternative is to write a shell script, but trying from Splunk before I go that route.

Thanks,
Meenal

1 Solution

meenal901
Communicator

Answering my own question 🙂

Python is not required. Any Macro is exposed as a REST end-point, and using curl command, it can be updated.
I finally used combination of search query (to prepare content of macro), scheduled it as alert and on alert wrote a simple shell script by using ARG8 provided by splunk, to write it in macros.conf by curl command.

View solution in original post

meenal901
Communicator

Answering my own question 🙂

Python is not required. Any Macro is exposed as a REST end-point, and using curl command, it can be updated.
I finally used combination of search query (to prepare content of macro), scheduled it as alert and on alert wrote a simple shell script by using ARG8 provided by splunk, to write it in macros.conf by curl command.

rsathish47
Contributor

Hi Meenal,
Is possible to provide me the sample/example code ?

Thanks
Sathish Rangan

0 Karma

meenal901
Communicator

Python is not required. Any Macro is exposed as a REST end-point, and using curl command, it can be updated.
I finally used combination of search query (to prepare content of macro), scheduled it as alert and on alert wrote a simple shell script by using ARG8 provided by splunk, to write it in macros.conf by curl command.

0 Karma

forum4lifeson
New Member

What did you do in your curl command to make it work. I am trying to update macro definitions using curl in the xml and failing.

0 Karma

meenal901
Communicator

More information:

Updating macros.conf from lookup. Below is my macro query and lookup definition, (only first 2 rows, i have 50 currently and expected to grow 150+) which I want to update from a scheduled search, rather than manually. Can we construct something in python? Shell script is another alternative, but if we can write a command for this, then it would be great. This is 1 case, if we can create something, would be applicable to atleast 2 more places. Also, this lookup file is updated at least 2 times every week. So automation can be really helpful for Splunk.

Lookup:
PITS_Number,PITS_Exception,Status,Cluster_Type,Priority
194458,NoSuchPropertyException caught in ProductMaintenanceServiceImpl,Open,Global Cluster,High
237666,Unknown/unsupported Order format1 message type,Open,Business Cluster,Medium

Macro:

index=cboe_* splunk_server=* | rex field=_raw "(?<PITS_194458>NoSuchPropertyException caught in ProductMaintenanceServiceImpl)"|rex field=_raw "(?<PITS_237666>Unknown/unsupported Order format1 message type)"| eval PITS_Number1=if(PITS_194458!="",194458,"")|eval PITS_Number2=if(PITS_237666!="",237666,"")|eval PITS_Exception=mvappend(PITS_194458,PITS_237666)|search PITS_Exception!=""| eval PITS_Number=mvappend(PITS_Number1,PITS_Number2)| lookup PITS.csv PITS as PITS_Number OUTPUT PITS as PITS, Exception as PITS_Exception_Pattern,Cluster_Type as Cluster,Priority as Priority,Status as Status

0 Karma

Arun_N_007
Communicator

You cant alter macros.conf without using SDKs.

But you can save the query in a lookup instead of macro and modify it as per lookup changes. And in using map command (But it can return only 10K records) invoke the modified query.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...