Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to make a reusable macro which replaces field text

SimonKof
New Member
‎03-14-2018 03:36 AM

I have a splunk dashboard which shows metrices for an API.

The dashboard have a graph showing response times and a table showing min, max, average of response times. They both include the following eval in the search to group endpoints with ids in the url.

eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")

This way the calls to /user/12345/address and /user/98765/address will be grouped as /user/{id}/address.

How do I create a macro that I can use to extract this functionality so it can be used in several dashboard panel searches? For example:

index=api
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address") 
| timechart span=1h count by endpoint

and

index=api 
| eval endpoint = replace(endpoint,"user\/\d+\/address","user/{id}/address")  
| stats Count, min(executiontime), max(executiontime), avg(executiontime), stdev(executiontime) by endpoint 
| sort - count 
| head 20

I would like it to have a macro called group_endpoints so I can simplify the above to something similar to:

index=api
| group_endpoints(endpoints)
| timechart span=1h count by endpoint
0 Karma
Reply

niketn
Legend
‎03-14-2018 04:50 AM

@SimonKof, is this question different from https://answers.splunk.com/answers/626482/extracting-eval-for-reuse-in-other-searches.html?

If you can use Calculated Fields to make the above eval reusable, will you still need a macro to do something similar?

If Calculated Fields solves your need let us know and this question can be closed as duplicate.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...