Solved: Macro Arguments

kmattern · ‎12-30-2011

I'm totally lost when it comes to arguments in macros. Here is what I want to do. I have three partial searches that are almost identical.

sourcetype="iis" cs_username!="-" /TM/ .pdf

sourcetype="iis" cs_username!="-" /TD/ .pdf

sourcetype="iis" cs_username!="-" /TDB/ .pdf

I would like to turn this into a macro where I can pass the argument for the values between the slashes. For the life of me I can't figure out what my macro should look like or how to call it. The documentation on macros really stinks.

dart · ‎12-30-2011

Hi kmattem,

You want a single parameter macro, with one argument:

macros.conf

[iis_search(1)]
args = fragment
definition = sourcetype="iis" cs_username!="-" /$fragment$/ .pdf

And call it like so

`iis_search(fragment=TM)`

View solution in original post

dart · ‎12-30-2011

Hi kmattem,

You want a single parameter macro, with one argument:

macros.conf

[iis_search(1)]
args = fragment
definition = sourcetype="iis" cs_username!="-" /$fragment$/ .pdf

And call it like so

`iis_search(fragment=TM)`

lguinn2 · ‎12-31-2011

If you do this through the user interface, fill in the form as follows:

In the Name box, enter iis_search(1)

Under Definition, enter sourcetype="iis" cs_username!="-" /$fragment$/ .pdf

Under Arguments, enter fragment

Macro Arguments

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation