Splunk Search

I am trying to follow the Windows RDP Connection Successful guide, and I have a question about macros

Erilope
Explorer

Hello everyone,

I am trying to follow this guide https://research.splunk.com/endpoint/ceaed840-56b3-4a70-b8e1-d762b1c5c08c/

and I created the macros that this guide is referencing, but I am unable to create the macro for windows_rdp_connection_successful_filter, because I am unsure how to create an empty macro in Splunk web. The guide says "windows_rdp_connection_successful_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL." What does this even mean?

We are currently using Splunk Enterprise 9.0.5

Labels (1)
0 Karma
1 Solution

marnall
Builder

In the Splunk web interface, you can make macros by clicking on Settings (in the upper-right), then in the drop-down menu click on "Advanced search" in the KNOWLEDGE section, then click on "Search macros".

You can then click the green "New Search Macro" button to make a new search macro, which you can give a name.

In the Definition section you are supposed to enter the SPL that you would like the macro to expand to. This screen will not let you leave the Definition blank so you could fill in a comment like ```emptymacro``` which would then make the macro do nothing. You can leave the other fields blank.

After you save the macro, you should change its permissions so its accessible to you in the app you use to search.

What the guide likely means is that when you use macros, you can edit how the SPL of a search behaves, without editing the SPL of the search. For example you could have a scheduled report which uses a macro for filtering out certain hosts. You can then edit the macro to add new host values without having to edit the scheduled search.

View solution in original post

0 Karma

marnall
Builder

In the Splunk web interface, you can make macros by clicking on Settings (in the upper-right), then in the drop-down menu click on "Advanced search" in the KNOWLEDGE section, then click on "Search macros".

You can then click the green "New Search Macro" button to make a new search macro, which you can give a name.

In the Definition section you are supposed to enter the SPL that you would like the macro to expand to. This screen will not let you leave the Definition blank so you could fill in a comment like ```emptymacro``` which would then make the macro do nothing. You can leave the other fields blank.

After you save the macro, you should change its permissions so its accessible to you in the app you use to search.

What the guide likely means is that when you use macros, you can edit how the SPL of a search behaves, without editing the SPL of the search. For example you could have a scheduled report which uses a macro for filtering out certain hosts. You can then edit the macro to add new host values without having to edit the scheduled search.

0 Karma

Erilope
Explorer

Sorry for the delay. I appreciate your answer. I have had a sick cat, and have not been able to respond. But your answer makes sense!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...