Splunk Enterprise Security

Macro definition = ()

stwong
Communicator

Hi all,

Just note that the macro 'cim_Authentication_indexes` of Splunk_SA_CIM has definition like following:

[cim_Authentication_indexes]
definition = ()

What does it mean?

Sorry for the newbie question.   Thanks a lot.

Regards

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No! () does _not_ equal *.

() in this context just expands to an empty condition.  When you build a search in SPL, the parentheses group conditions and unless you specify otherwise, there is an implied AND between conditions.

So

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)

expands to

(() tag=authenticaton NOT (action=success user=*$)

So you have an empty condition (in other words - you don't limit the events) and some further default conditions on tag, action and user.

 

View solution in original post

Tags (1)

stwong
Communicator

Got it.  No wonder i see nothing with pressing Shift-Ctrl-E.   

Thanks for replies from you all.

Best Regards

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You should run then command first and after that this key combinations works.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

This means that macro cim_Authentication_indexes expands to ()

That's the technical explanation.

But what's the purpose of such definition? Well, it's quite typical to define a macro that will be used in building condition for something else - typically you externalize the condition to a macro so that the basic search construct that you use - for example in building a visualization, or creating a report - is the same regardless of what additional limitations you want to apply to the data. This way you have the static definition in the search itself but by redefining the macro, usually as a part of configuring an app after installation, you can finetune how the search works.

In this case the macro cim_Authentication_indexes is used in definition of CIM's Authentication datamodel.

The root dataset constraint is "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)" so by redefining the cim_Authentication_indexes macro you can easily narrow down the scope of the datamodel application only to the indexes that really contain authentication data.

stwong
Communicator

Hi,

Thanks for your advice.

Does "()" equal to "*" in SPL ?     Seems i need to read the book "SPL for Dummies"  (if available).

Best Regards

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No! () does _not_ equal *.

() in this context just expands to an empty condition.  When you build a search in SPL, the parentheses group conditions and unless you specify otherwise, there is an implied AND between conditions.

So

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)

expands to

(() tag=authenticaton NOT (action=success user=*$)

So you have an empty condition (in other words - you don't limit the events) and some further default conditions on tag, action and user.

 

Tags (1)

isoutamo
SplunkTrust
SplunkTrust

When you have opened search which contains macro you could check how it will be expanded by Shift-Ctrl-E (in windows) and Shift-Cmd-E (in macOS).

All macros you could found Settings -> Advanced search -> Search macros

r. Ismo

Another nice key combination is Shift+Cmd/Ctrl+F

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...