Knowledge Management

How to and where can I add the timeformat string to a saved macro?

Builder

Splunk version: 6.4

Localization specifier in the URL : en_US

search 1:

earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" `getABC("xyz","abc123")`

search 2:

timeformat="%d/%m/%Y:%H:%M:%S" earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" `getABC("xyz","abc123")`

search 3:

earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" timeformat="%d/%m/%Y:%H:%M:%S" `getABC("xyz","abc123")`

Now search 1 is displaying the results for January 08 2016 and search 2 is displaying the results for Aug 1st. Here I'm looking for Aug 1st so search 2 is the correct format I needed.

How can I add the timeformat string to the getABC() macro so that the search 1 should display results for Augest 1st 2016?

Where getABC is a macro as follows:

tag=xTH sourcetype="hjhjhj" $username$ host=$system$ | dedup _raw | `setXYZSystemWindows` | `setXYZUsernameWindows` | search xyz_username="$username$" xyz_system="$system$" | `setXYZRiskRating` | `setXYZActivityInfosWindows` | `setXYZInfoFieldWindows` | `tabelizeActivities` | `beautifyXYZFieldnames`

Note: And if I given the timeformat in other place other than the beginning of search as shown in search 3 then the search displaying the results for January 1st 2016

So it possible to add that timeformat in the macro in such a way that the timeformat come for the beginning of the search?

Sorry for the confused English language. Please post some solution if you understand my post.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Change your macro definition to this
Updated

Thanks @sundareshr for pointing that one out. I guess there is only one workaround available where you include timeformat, earliest and latest all inside macro itself (pass them as macro parameter). Like this:-

Macro Name

getABC(5)

Definition

timeformat=$timeformat$ earliest=$earliest$ latest=$latest$ tag=xTH sourcetype="hjhjhj" $username$ host=$system$ | dedup _raw | setXYZSystemWindows | setXYZUsernameWindows | search xyz_username="$username$" xyz_system="$system$" | setXYZRiskRating | setXYZActivityInfosWindows | setXYZInfoFieldWindows | tabelizeActivities | beautifyXYZFieldnames

Parameters

timeformat,earliest,latest,username,system

Usage
For Aug 8 2016

getABC("%d/%m/%Y:%H:%M:%S","01/08/2016:00:00:01","01/08/2016:23:59:59","xyz","abc123") 

For Jan 08 2016

getABC("%m/%d/%Y:%H:%M:%S","01/08/2016:00:00:01","01/08/2016:23:59:59","xyz","abc123") 

View solution in original post

0 Karma

Legend

I think I understand your question. Unfortunately, there is no way, that I am aware of, to have the timeformat be before earliest/latestwithout actually typing it there. Your other option would be to create a new macro (say tf()) and enter that before earliest.

0 Karma

SplunkTrust
SplunkTrust

Change your macro definition to this
Updated

Thanks @sundareshr for pointing that one out. I guess there is only one workaround available where you include timeformat, earliest and latest all inside macro itself (pass them as macro parameter). Like this:-

Macro Name

getABC(5)

Definition

timeformat=$timeformat$ earliest=$earliest$ latest=$latest$ tag=xTH sourcetype="hjhjhj" $username$ host=$system$ | dedup _raw | setXYZSystemWindows | setXYZUsernameWindows | search xyz_username="$username$" xyz_system="$system$" | setXYZRiskRating | setXYZActivityInfosWindows | setXYZInfoFieldWindows | tabelizeActivities | beautifyXYZFieldnames

Parameters

timeformat,earliest,latest,username,system

Usage
For Aug 8 2016

getABC("%d/%m/%Y:%H:%M:%S","01/08/2016:00:00:01","01/08/2016:23:59:59","xyz","abc123") 

For Jan 08 2016

getABC("%m/%d/%Y:%H:%M:%S","01/08/2016:00:00:01","01/08/2016:23:59:59","xyz","abc123") 

View solution in original post

0 Karma

Legend

I may be wrong but I believe, from his tests, timeformat needs to be defined BEFORE earliest/latest.

0 Karma