Knowledge Management

Possible to create search macro using Arguments for a user list?

jwalzerpitt
Influencer

I have a search that references 80 users in username field:

index=abc EventID=4625 (username=abc OR username=def OR ...)

Is it possible to create a macro with the usernames listed as arguments?

Thx

0 Karma

gcusello
SplunkTrust
SplunkTrust

Use a lookup:

index=abc EventID=4625 [ |inputlookup users.csv | table username] | ...

You could manually manage your lookup or update it using a scheduled search and outputlookup command.
You have only to put attention to the name of the lookup column (username): must be the same of your search field (username), otherwise rename it in subsearch.
if the search to generate the lookup isn't too slow, you could also use a subsearch:

index=abc EventID=4625 [ search index=myindex | dedup username | table username]

Bye.
Giuseppe

jwalzerpitt
Influencer

Thx for the suggestion - any performance hit of input lookup vs. macro search?

Thx

0 Karma

gcusello
SplunkTrust
SplunkTrust

I don't know, but I usually use lookups.
Bye.
Giuseppe

0 Karma

somesoni2
Revered Legend

Macros are faster than lookup but with such a small number of entries in the lookup it would be negligible. Using lookups are simpler.

0 Karma

jwalzerpitt
Influencer

Thx for the information!

0 Karma

jwalzerpitt
Influencer

Thx for the info

0 Karma

ddrillic
Ultra Champion

The documentation at Define search macros in Settings
explains -

-- 7.(Optional) Provide Arguments as appropriate for your search macro. This is a comma-delimited string of argument names without repeated elements. Argument names may only contain alphanumeric characters (a-Z, A-Z, 0-9), underscores, and dashes.

ddrillic
Ultra Champion

Right - index=abc EventID=4625 username=$arg1$ looks fine or index=abc EventID=4625 username="$arg1$", with double quotes.

The search itself behaves like a regular search which means that the default operator is AND. If you want OR you should place explicit OR in the search query, such as -

index=abc EventID=4625 OR username="$arg1$"

0 Karma

jwalzerpitt
Influencer

Thx for the reply and breakdown - greatly appreciated!

0 Karma

ddrillic
Ultra Champion

You are welcome - good luck.

0 Karma

jwalzerpitt
Influencer

Would the search macro look like as follows?

index=abc EventID=4625 username=$arg1$

Also, are the arguments (username) treated as OR?

Thx

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...