Knowledge Management

Possible to create search macro using Arguments for a user list?

jwalzerpitt
Motivator

I have a search that references 80 users in username field:

index=abc EventID=4625 (username=abc OR username=def OR ...)

Is it possible to create a macro with the usernames listed as arguments?

Thx

0 Karma

gcusello
SplunkTrust
SplunkTrust

Use a lookup:

index=abc EventID=4625 [ |inputlookup users.csv | table username] | ...

You could manually manage your lookup or update it using a scheduled search and outputlookup command.
You have only to put attention to the name of the lookup column (username): must be the same of your search field (username), otherwise rename it in subsearch.
if the search to generate the lookup isn't too slow, you could also use a subsearch:

index=abc EventID=4625 [ search index=myindex | dedup username | table username]

Bye.
Giuseppe

jwalzerpitt
Motivator

Thx for the suggestion - any performance hit of input lookup vs. macro search?

Thx

0 Karma

gcusello
SplunkTrust
SplunkTrust

I don't know, but I usually use lookups.
Bye.
Giuseppe

0 Karma

somesoni2
Revered Legend

Macros are faster than lookup but with such a small number of entries in the lookup it would be negligible. Using lookups are simpler.

0 Karma

jwalzerpitt
Motivator

Thx for the information!

0 Karma

jwalzerpitt
Motivator

Thx for the info

0 Karma

ddrillic
Ultra Champion

The documentation at Define search macros in Settings
explains -

-- 7.(Optional) Provide Arguments as appropriate for your search macro. This is a comma-delimited string of argument names without repeated elements. Argument names may only contain alphanumeric characters (a-Z, A-Z, 0-9), underscores, and dashes.

ddrillic
Ultra Champion

Right - index=abc EventID=4625 username=$arg1$ looks fine or index=abc EventID=4625 username="$arg1$", with double quotes.

The search itself behaves like a regular search which means that the default operator is AND. If you want OR you should place explicit OR in the search query, such as -

index=abc EventID=4625 OR username="$arg1$"

0 Karma

jwalzerpitt
Motivator

Thx for the reply and breakdown - greatly appreciated!

0 Karma

ddrillic
Ultra Champion

You are welcome - good luck.

0 Karma

jwalzerpitt
Motivator

Would the search macro look like as follows?

index=abc EventID=4625 username=$arg1$

Also, are the arguments (username) treated as OR?

Thx

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.