How to pass list string as an arguments to Splunk ...

thinhdinh · ‎06-22-2020

Hi Splunk experts,

I am a new face here. I have a task for multiple alerts creating. I am wondering is it possible to pass a list of strings as an argument to my custom macro. Let's me explain more about the idea:

My argument will be like this:

"scope=A"

"scope=A OR scope=B"

"scope=A OR scope=B OR scope=C"

....

Basically scope can be equals to whatever value as much as we need and I want to write a macro just has only one argument, but I still could add number of values to my macro:

myMacro(1)

How can I solve it? Thank in advance.

bowesmana · ‎06-23-2020

You can create the macro with one argument and pass what you like, so all of your examples would be fine.

However what is it you are trying to achieve with that macro. I am guessing it's some kind of search filtering from your examples.

It looks like you're wanting to have a flexible 'search for x=y' where x and y can be 1..n and x can be different fields also or is 'x' always scope?

Can you explain in more detail what you want the macro to do and where in the search pipeline it's intended for, part of the base search or following the first | (pipe)

thinhdinh · ‎06-23-2020

Hi @bowesmana ,

Exactly! That is what you are guessing. The reason I want to like that because I have bunch of scopes and I don't want for each of scope I have to write a macro. I need to make the argument that I am passing to my macro is flexible., from that we only have one macro. Value of scopes will be added before the pipeline and they are searching strings. Example:

host=host source=source ("scope=A OR scope=B OR scope=C OR...") | .....

bowesmana · ‎06-23-2020

Maybe you would be better of just writing

host=host source=source scope IN ("A","B","C")
| .....

I am assuming the scope is a field in your data?

thinhdinh · ‎06-25-2020

@bowesmana Hi, sorry to bother you again. So how can I pass those scopes to my macro?! When I tried to do something like this, it's not working for me:

myCustomMacro(scope=("A", "B", "C"))

bowesmana · ‎06-25-2020

I am not sure what you want the macro to do - what is the need to have a macro in the first place.

What will the macro in addition to the search itself?

thinhdinh · ‎06-25-2020

I have bunch of different scope as I said before and for each of those scope I have to write an alert. With a help from macro, my task should more easier. That's why I need a macro with a flexible argument. Yes, I have moved the argument to the search itself, it's not required in the first place.

bowesmana · ‎06-25-2020

The search will produce a set of results and the alert will come from those results. I don't see where the macro is required in this, but perhaps you can provide some more detail on the actual result you are looking to get out of this alert.

thinhdinh · ‎06-26-2020

Sure we can write different search queries for each scope, but it is too long. That's why I want to use macro in this case. I don't have one alert, I have bunch of alerts and the result of them depends on their scopes. As I know macro is not required to use if we don't like.

thinhdinh · ‎06-24-2020

Hi @bowesmana

It looks super simple 🙂. Yes, that is a field of my data.

How to pass list string as an arguments to Splunk macro

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?