Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Possible to create search macro using Arguments for a user list?

jwalzerpitt
Influencer
‎10-13-2016 06:42 AM

I have a search that references 80 users in username field:

index=abc EventID=4625 (username=abc OR username=def OR ...)

Is it possible to create a macro with the usernames listed as arguments?

Thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 07:03 AM

Use a lookup:

index=abc EventID=4625 [ |inputlookup users.csv | table username] | ...

You could manually manage your lookup or update it using a scheduled search and outputlookup command.
You have only to put attention to the name of the lookup column (username): must be the same of your search field (username), otherwise rename it in subsearch.
if the search to generate the lookup isn't too slow, you could also use a subsearch:

index=abc EventID=4625 [ search index=myindex | dedup username | table username]

Bye.
Giuseppe

Reply

jwalzerpitt
Influencer
‎10-13-2016 07:07 AM

Thx for the suggestion - any performance hit of input lookup vs. macro search?

Thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 07:08 AM

I don't know, but I usually use lookups.
Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎10-13-2016 07:20 AM

Macros are faster than lookup but with such a small number of entries in the lookup it would be negligible. Using lookups are simpler.

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:22 AM

Thx for the information!

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:18 AM

Thx for the info

0 Karma
Reply

ddrillic
Ultra Champion
‎10-13-2016 07:00 AM

The documentation at Define search macros in Settings
explains -

-- 7.(Optional) Provide Arguments as appropriate for your search macro. This is a comma-delimited string of argument names without repeated elements. Argument names may only contain alphanumeric characters (a-Z, A-Z, 0-9), underscores, and dashes.

Reply

ddrillic
Ultra Champion
‎10-13-2016 07:23 AM

Right - index=abc EventID=4625 username=$arg1$ looks fine or index=abc EventID=4625 username="$arg1$", with double quotes.

The search itself behaves like a regular search which means that the default operator is AND. If you want OR you should place explicit OR in the search query, such as -

index=abc EventID=4625 OR username="$arg1$"

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:33 AM

Thx for the reply and breakdown - greatly appreciated!

0 Karma
Reply

ddrillic
Ultra Champion
‎10-13-2016 07:38 AM

You are welcome - good luck.

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:06 AM

Would the search macro look like as follows?

index=abc EventID=4625 username=$arg1$

Also, are the arguments (username) treated as OR?

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
li.common.scroll-to.top