Developing for Splunk Enterprise
Highlighted

Can we write a Python or JS to update macros.conf?

Communicator

I have a lookup file which gets updated daily. Based on this, I want to update my macro as well.
e.g.: The Lookup contains fields: Exception, Ticket No, Description
I want to take Exception field, escape-sequence all ( and [, replace \r\n by | and put these values in another macro which i am using on another app.

Can this be done using a Python custom command or JS? The escape sequence and replacing, probably I can do using SPL itself. The script should just update macros.conf.

Another alternative is to write a shell script, but trying from Splunk before I go that route.

Thanks,
Meenal

Highlighted

Re: Can we write a Python or JS to update macros.conf?

Communicator

More information:

Updating macros.conf from lookup. Below is my macro query and lookup definition, (only first 2 rows, i have 50 currently and expected to grow 150+) which I want to update from a scheduled search, rather than manually. Can we construct something in python? Shell script is another alternative, but if we can write a command for this, then it would be great. This is 1 case, if we can create something, would be applicable to atleast 2 more places. Also, this lookup file is updated at least 2 times every week. So automation can be really helpful for Splunk.

Lookup:
PITSNumber,PITSException,Status,Cluster_Type,Priority
194458,NoSuchPropertyException caught in ProductMaintenanceServiceImpl,Open,Global Cluster,High
237666,Unknown/unsupported Order format1 message type,Open,Business Cluster,Medium

Macro:

index=cboe* splunkserver=* | rex field=raw "(?<PITS194458>NoSuchPropertyException caught in ProductMaintenanceServiceImpl)"|rex field=raw "(?<PITS237666>Unknown/unsupported Order format1 message type)"| eval PITSNumber1=if(PITS194458!="",194458,"")|eval PITSNumber2=if(PITS237666!="",237666,"")|eval PITSException=mvappend(PITS194458,PITS237666)|search PITSException!=""| eval PITSNumber=mvappend(PITSNumber1,PITSNumber2)| lookup PITS.csv PITS as PITSNumber OUTPUT PITS as PITS, Exception as PITSExceptionPattern,Cluster_Type as Cluster,Priority as Priority,Status as Status

0 Karma
Highlighted

Re: Can we write a Python or JS to update macros.conf?

Communicator

You cant alter macros.conf without using SDKs.

But you can save the query in a lookup instead of macro and modify it as per lookup changes. And in using map command (But it can return only 10K records) invoke the modified query.

0 Karma
Highlighted

Re: Can we write a Python or JS to update macros.conf?

Communicator

Python is not required. Any Macro is exposed as a REST end-point, and using curl command, it can be updated.
I finally used combination of search query (to prepare content of macro), scheduled it as alert and on alert wrote a simple shell script by using ARG8 provided by splunk, to write it in macros.conf by curl command.

0 Karma
Highlighted

Re: Can we write a Python or JS to update macros.conf?

New Member

What did you do in your curl command to make it work. I am trying to update macro definitions using curl in the xml and failing.

0 Karma
Highlighted

Re: Can we write a Python or JS to update macros.conf?

Communicator

Answering my own question 🙂

Python is not required. Any Macro is exposed as a REST end-point, and using curl command, it can be updated.
I finally used combination of search query (to prepare content of macro), scheduled it as alert and on alert wrote a simple shell script by using ARG8 provided by splunk, to write it in macros.conf by curl command.

View solution in original post

Highlighted

Re: Can we write a Python or JS to update macros.conf?

Contributor

Hi Meenal,
Is possible to provide me the sample/example code ?

Thanks
Sathish Rangan

0 Karma
Highlighted

Re: Can we write a Python or JS to update macros.conf?

Contributor
0 Karma