Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Possible to create search macro using Arguments for a user list?

jwalzerpitt
Influencer
‎10-13-2016 06:42 AM

I have a search that references 80 users in username field:

index=abc EventID=4625 (username=abc OR username=def OR ...)

Is it possible to create a macro with the usernames listed as arguments?

Thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 07:03 AM

Use a lookup:

index=abc EventID=4625 [ |inputlookup users.csv | table username] | ...

You could manually manage your lookup or update it using a scheduled search and outputlookup command.
You have only to put attention to the name of the lookup column (username): must be the same of your search field (username), otherwise rename it in subsearch.
if the search to generate the lookup isn't too slow, you could also use a subsearch:

index=abc EventID=4625 [ search index=myindex | dedup username | table username]

Bye.
Giuseppe

Reply

jwalzerpitt
Influencer
‎10-13-2016 07:07 AM

Thx for the suggestion - any performance hit of input lookup vs. macro search?

Thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 07:08 AM

I don't know, but I usually use lookups.
Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎10-13-2016 07:20 AM

Macros are faster than lookup but with such a small number of entries in the lookup it would be negligible. Using lookups are simpler.

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:22 AM

Thx for the information!

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:18 AM

Thx for the info

0 Karma
Reply

ddrillic
Ultra Champion
‎10-13-2016 07:00 AM

The documentation at Define search macros in Settings
explains -

-- 7.(Optional) Provide Arguments as appropriate for your search macro. This is a comma-delimited string of argument names without repeated elements. Argument names may only contain alphanumeric characters (a-Z, A-Z, 0-9), underscores, and dashes.

Reply

ddrillic
Ultra Champion
‎10-13-2016 07:23 AM

Right - index=abc EventID=4625 username=$arg1$ looks fine or index=abc EventID=4625 username="$arg1$", with double quotes.

The search itself behaves like a regular search which means that the default operator is AND. If you want OR you should place explicit OR in the search query, such as -

index=abc EventID=4625 OR username="$arg1$"

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:33 AM

Thx for the reply and breakdown - greatly appreciated!

0 Karma
Reply

ddrillic
Ultra Champion
‎10-13-2016 07:38 AM

You are welcome - good luck.

0 Karma
Reply

jwalzerpitt
Influencer
‎10-13-2016 07:06 AM

Would the search macro look like as follows?

index=abc EventID=4625 username=$arg1$

Also, are the arguments (username) treated as OR?

Thx

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...