Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I create a Macro with multiple arguments?

raymondc
Engager
‎02-08-2017 11:29 PM

Hi

I want to create a macro with at least 1 argument and maximum 20 arguments.
So I created 20 macros. (See example below. I only displayed 3 of them and leaved out some other statements.)

Is there a other way to do this?

Example of my current macros.conf file: 

 [get_type(3)]
 args = field_1, field_2, field_3
 definition = ... | where (my_field=$field_1$ OR my_field=$field_2$ OR my_field=$field_3$) | ...

 [get_type(2)]
 args = field_1, field_2
 definition = ... | where (my_field=$field_1$ OR my_field=$field_2$) | ...

 [get_type(1)]
 args = field_1
 definition = ...| where my_field=$field_1$ | ...
0 Karma
Reply

DalJeanis
Legend
‎02-09-2017 07:34 AM

Sure, if you are just passing text values, all destined for testing a single field, then you can pass the argument as a single delimited string, and parse it in the macro. Can't write the parse code off the top of my head, but the call would look like - 

 get_type("value_1, value_2, value_3")

Or, you could pass the arguments as an already-configured string like 

get_type("my_field=value_1 OR my_field=value_2 OR my_field=value_3")

and just invoke the argument as 

| where $arg1$

It seems to me the first method gives a better abstraction barrier, but the second one should work just as well.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...