How can I create a Macro with multiple arguments?

raymondc · ‎02-08-2017

Hi

I want to create a macro with at least 1 argument and maximum 20 arguments.
So I created 20 macros. (See example below. I only displayed 3 of them and leaved out some other statements.)

Is there a other way to do this?

Example of my current macros.conf file:

 [get_type(3)]
 args = field_1, field_2, field_3
 definition = ... | where (my_field=$field_1$ OR my_field=$field_2$ OR my_field=$field_3$) | ...

 [get_type(2)]
 args = field_1, field_2
 definition = ... | where (my_field=$field_1$ OR my_field=$field_2$) | ...

 [get_type(1)]
 args = field_1
 definition = ...| where my_field=$field_1$ | ...

DalJeanis · ‎02-09-2017

Sure, if you are just passing text values, all destined for testing a single field, then you can pass the argument as a single delimited string, and parse it in the macro. Can't write the parse code off the top of my head, but the call would look like -

 get_type("value_1, value_2, value_3")

Or, you could pass the arguments as an already-configured string like

get_type("my_field=value_1 OR my_field=value_2 OR my_field=value_3")

and just invoke the argument as

| where $arg1$

It seems to me the first method gives a better abstraction barrier, but the second one should work just as well.

How can I create a Macro with multiple arguments?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How can I create a Macro with multiple arguments?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR