Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on macro best practices

jip31
Motivator
‎09-08-2021 03:23 AM

Hi

I try to list the advantages of macro usage in Splunk

As far as I know the main usage is if the name of the index or of the sourcetype change, we just have to change the macro

But is there other benefits of using a macro?

For example, a macro is it faster?

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-08-2021 03:38 AM

Macros are not faster as they are expanded before the search is dispatched.

However, macros are a great way to have reusable SPL fragments in your searches, especially as they can be parameterised, so you can pass arguments to them, like code.

They are also a good way to simplify how your searches look, as you start to get more complex searches, as they can replace chunks of SPL with a simple macro.

The example you give is a good way to externalise characteristics of your search, so someone else, who needs to configure your search, does not have to modify your search, but only has to modify the macro.

The 'comment' macro, which is part of the search app is a good example of a macro that allows you to comment your SPL by using this sort of construct. Very useful for saved searches that will persist after you left the company!

`comment("This next section will aggregate the results based on abc and xyx")`

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-08-2021 09:22 AM

Thanks to all for your answers!!!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 04:14 AM

You can also use macros to do some interesting stuff around passing arguments through map commands - have a look at Gregg Woodcock's (@woodcock) awesome BSides 2021 video on programming loops. https://www.youtube.com/watch?v=1yEhbKXRFMg on the Splunk channel https://www.youtube.com/c/SPLUCX/videos 

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-08-2021 03:38 AM

Macros are not faster as they are expanded before the search is dispatched.

However, macros are a great way to have reusable SPL fragments in your searches, especially as they can be parameterised, so you can pass arguments to them, like code.

They are also a good way to simplify how your searches look, as you start to get more complex searches, as they can replace chunks of SPL with a simple macro.

The example you give is a good way to externalise characteristics of your search, so someone else, who needs to configure your search, does not have to modify your search, but only has to modify the macro.

The 'comment' macro, which is part of the search app is a good example of a macro that allows you to comment your SPL by using this sort of construct. Very useful for saved searches that will persist after you left the company!

`comment("This next section will aggregate the results based on abc and xyx")`

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 03:48 AM

Yup. A macro is also a great way to prepare a huge piece of SPL code that can be easily used by others. If you are an experienced splunker, you might just write a long long SPL search with some fancy mechanics like lookup-based filtering and advanced stats manipulation and save it as parametrised macro so that your users just type in the macro name and get the results easily without having to paste a complicated search each time and without having to remember where to place the parameter values.

In short - you just tell your user to type `list_attacks("groupname=accounting")` which is short, easy and understanable instead of telling them to paste a 20-line long SPL search in which they still would have to insert values in proper places.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...