Solved: How to include arguments in search macros with non...

cherrypick · ‎08-14-2024

I have arguments for my macro that contain other values e.g. $env:user$ and $timepicker.earliest$/$timepicker.latest$. How do I include these in my macro definition as it doesn't allow me since macro arguments must only contain alphanumeric, '_' and '-' characters?

yuanliu · ‎08-14-2024

Use macro params to pass these tokens. Here is an example:

Name	Definition	Arguments
non-alphabetic-token(2)	index=_internal earliest=$earliest_tok$ latest=$latest_tok$	earliest_tok, latest_tok

<form version="1.1" theme="light">
  <label>Non-alphabetic tokens</label>
  <description>https://community.splunk.com/t5/Splunk-Search/How-to-include-arguments-in-search-macros-with-non-alphanumeric/m-p/696333#M236667</description>
  <fieldset submitButton="false">
    <input type="time" token="timepicker" searchWhenChanged="true">
      <label>pick time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$timepicker.earliest$</title>
      <table>
        <search>
          <query>`non-alphabetic-token($timepicker.earliest$, $timepicker.latest$)`
| addinfo
| stats count by info_min_time info_max_time
| foreach info_*
    [eval &lt;&lt;FIELD&gt;&gt; = strftime(&lt;&lt;FIELD&gt;&gt;, "%F %T")]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Here are some sample interactions:

View solution in original post

PickleRick · ‎08-15-2024

I'm not sure you understand the macros correctly.

if you define a macro with two parameters paramA and paramB it will get substituted in your search with whatever values you specify for them. These are separate layers.

yuanliu · ‎08-14-2024

Use macro params to pass these tokens. Here is an example:

Name	Definition	Arguments
non-alphabetic-token(2)	index=_internal earliest=$earliest_tok$ latest=$latest_tok$	earliest_tok, latest_tok

<form version="1.1" theme="light">
  <label>Non-alphabetic tokens</label>
  <description>https://community.splunk.com/t5/Splunk-Search/How-to-include-arguments-in-search-macros-with-non-alphanumeric/m-p/696333#M236667</description>
  <fieldset submitButton="false">
    <input type="time" token="timepicker" searchWhenChanged="true">
      <label>pick time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$timepicker.earliest$</title>
      <table>
        <search>
          <query>`non-alphabetic-token($timepicker.earliest$, $timepicker.latest$)`
| addinfo
| stats count by info_min_time info_max_time
| foreach info_*
    [eval &lt;&lt;FIELD&gt;&gt; = strftime(&lt;&lt;FIELD&gt;&gt;, "%F %T")]</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Here are some sample interactions:

cherrypick · ‎08-15-2024

Amazing! Thank you. Yes I misunderstood macros.

cherrypick · ‎08-14-2024

Or is there another way to use re-usable SPL searches that can take these values into account?

How to include arguments in search macros with non-alphanumeric values

subsearch

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...