Given that macros lack the ability to take variable length arguments or parse a single arg into several args. what I'd like to do is create custom event generating commands in python that execute searches underneath the hood. a simple example would be a SQL 'in' syntax generator.
sqlIn( Id, 11, 33, 44 ) # where no of args can vary
would execute the search below and return the events in splunk UI or piped to subsequent commands.
index=* ( Id=11 OR Id=33 OR Id=44 )
The best way I can think of doing this is the create a event-generating command and execute the search via the rest API ( which seems clunky ) is there a way execute a search from the splunk search head calling this py script without having to infer the REST URL with env variables etc?
I'd like to be able to generate macro text from Python functions which when added to the /bin directory can be used like a normal macro.
You can do this using an macro with a subsearch.
If you create a
search field in your subsearch it will expand out into a search, and you can use replace to format your string correctly, like so:
index=_internal metrics [ stats count | eval test="per_host_thruput,per_index_thruput" | eval search = "group=" + replace(test,",", " OR group=") ]
Which could be converted into a macro which specified the variable fields, and the field name.
You can also do this be creating a python script that returns a field called search, and then call it inside a subsearch.
You can create a custom search command calling a script.
then have the script call a search using the REST API, or a simple the CLI search command.
for the CLI see http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CLIsearchsyntax