- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the use drop_dm_object_name() clause in a query with tstats.?
I am trying to find out what purpose drop_dm_object_name() serves.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That macro just changes the name of fields in data models to be just the field name, instead of the relative name in the data model. So a dataset would go from: Authentication.user to just "user" after using that macro.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is macro?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search macros in Splunk are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. It's enclosed within acute/back quotes `macro_name` on your search like `drop_dm_object_name(field)`. You can see these macros in Splunk and define them under Settings > Advanced Search > Search Macros.
All about macros here :
Use search macros in searches - Splunk Documentation
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A macro is a rule that shows how a certain input should be mapped to a replacement output
To expand a macro in splunk - use CTRL + SHIFT + e
And to OP - drop_dm_object_name removes the leading stuff from a data model.
DM fields (not index, host, sourcetype etc) but the ones you create as custom all have leading words infront of the field.
In a typical authentication DM for example all the fields have a leading "Authentication." prefix.
Authentication.user, Authentication.tag, Authentication.app etc.
drop_dm_object just drops the "Authentication." part.
Cheers
