Can a macro be created for an application based on...

simpkins1958 · ‎04-14-2016

Our server can input data into Splunk either via Syslog or Http Event Collector. In our Splunk application, we want the user to be able to specify which method they are using and then create a macro based on that information. This is to handle our legacy Splunk application that currently only uses syslog. With our next release we are adding Http Event Collector too.

We want to configure setup.xml for our application to define a macro based on user input.

A boolean input for "Use Syslog Data"

In macros.conf file:

[DiagnosticsDataSource(1)]
args = diagnosticsType

if "Use Syslog Data" = true

definition = sourcetype=syslog LocalityServer "$diagnosticsType$"

else

definition = sourcetype= "$diagnosticsType$"

martin_mueller · ‎04-14-2016

Have you considered just OR'ing both options statically?

martin_mueller · ‎04-14-2016

Great. I've converted the comment to an answer, feel free to mark this as accepted if you're happy.

simpkins1958 · ‎04-14-2016

Thanks. This works.

Can a macro be created for an application based on the application setup.xml?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation