Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Possible to create search macro using Arguments for a user list?

jwalzerpitt
Influencer
‎10-13-2016 06:42 AM

I have a search that references 80 users in username field:

index=abc EventID=4625 (username=abc OR username=def OR ...)

Is it possible to create a macro with the usernames listed as arguments?

Thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 07:03 AM

Use a lookup:

index=abc EventID=4625 [ |inputlookup users.csv | table username] | ...

You could manually manage your lookup or update it using a scheduled search and outputlookup command.
You have only to put attention to the name of the lookup column (username): must be the same of your search field (username), otherwise rename it in subsearch.
if the search to generate the lookup isn't too slow, you could also use a subsearch:

index=abc EventID=4625 [ search index=myindex | dedup username | table username]

Bye.
Giuseppe

Reply

jwalzerpitt
Influencer
‎10-13-2016 07:07 AM

Thx for the suggestion - any performance hit of input lookup vs. macro search?

Thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 07:08 AM

I don't know, but I usually use lookups.
Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎10-13-2016 07:20 AM

Macros are faster than lookup but with such a small number of entries in the lookup it would be negligible. Using lookups are simpler.

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:22 AM

Thx for the information!

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:18 AM

Thx for the info

0 Karma
Reply

ddrillic
Ultra Champion
‎10-13-2016 07:00 AM

The documentation at Define search macros in Settings
explains -

-- 7.(Optional) Provide Arguments as appropriate for your search macro. This is a comma-delimited string of argument names without repeated elements. Argument names may only contain alphanumeric characters (a-Z, A-Z, 0-9), underscores, and dashes.

Reply

ddrillic
Ultra Champion
‎10-13-2016 07:23 AM

Right - index=abc EventID=4625 username=$arg1$ looks fine or index=abc EventID=4625 username="$arg1$", with double quotes.

The search itself behaves like a regular search which means that the default operator is AND. If you want OR you should place explicit OR in the search query, such as -

index=abc EventID=4625 OR username="$arg1$"

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:33 AM

Thx for the reply and breakdown - greatly appreciated!

0 Karma
Reply

ddrillic
Ultra Champion
‎10-13-2016 07:38 AM

You are welcome - good luck.

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:06 AM

Would the search macro look like as follows?

index=abc EventID=4625 username=$arg1$

Also, are the arguments (username) treated as OR?

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...