Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to make a reusable macro which replaces field text

SimonKof
New Member
‎03-14-2018 03:36 AM

I have a splunk dashboard which shows metrices for an API.

The dashboard have a graph showing response times and a table showing min, max, average of response times. They both include the following eval in the search to group endpoints with ids in the url.

eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")

This way the calls to /user/12345/address and /user/98765/address will be grouped as /user/{id}/address.

How do I create a macro that I can use to extract this functionality so it can be used in several dashboard panel searches? For example:

index=api
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address") 
| timechart span=1h count by endpoint

and

index=api 
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")  
| stats Count, min(executiontime), max(executiontime), avg(executiontime), stdev(executiontime) by endpoint 
| sort - count 
| head 20

I would like it to have a macro called group_endpoints so I can simplify the above to something similar to:

index=api
| group_endpoints(endpoints)
| timechart span=1h count by endpoint
0 Karma
Reply

niketn
Legend
‎03-14-2018 04:50 AM

@SimonKof, is this question different from https://answers.splunk.com/answers/626482/extracting-eval-for-reuse-in-other-searches.html?

If you can use Calculated Fields to make the above eval reusable, will you still need a macro to do something similar?

If Calculated Fields solves your need let us know and this question can be closed as duplicate.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...