Hey,
I have the following saved search in my Splunk instance which I saved as a search macro:
sourcetype="log-file-pub" "market data retrieval failed" OR "The request failed with HTTP status 503: Service Unavailable" OR "Error getting market data" OR "The request failed with HTTP status 403: Forbidden"
Is it possible to write a search macro with arguments which allows me to specify the strings (i.e. market data retrieval failed) that Splunk searches for in the above sourcetype?
The only part of the search which remains fixed is: sourcetype="log-file-pub"
The other strings (in between the OR's) change depending on what the user specifies.
Take a look at this example showing how you can parameterize a search macro:
Example - Combine search macros and transactions
So try defining your macro 'foo(4)' like this:
sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$
And remember to specify your arguments in the Arguments list:
msg1,msg2,msg3,msg4
Then reference the macro like this:
`foo("bar1","bar2","bar3","bar4")
`
... or with your specified messages:
`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")
`
Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:
sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"
... or pass the quotes when using the macro:
`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")
`
Hi gkanapathy, I edited my original question in relation to the things you have asked
can you clarify, what exactly is to be parameterized. maybe if you provide two or three examples where the parameter is different. which of parts of the search string are fixed, and which need to change and how?
Take a look at this example showing how you can parameterize a search macro:
Example - Combine search macros and transactions
So try defining your macro 'foo(4)' like this:
sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$
And remember to specify your arguments in the Arguments list:
msg1,msg2,msg3,msg4
Then reference the macro like this:
`foo("bar1","bar2","bar3","bar4")
`
... or with your specified messages:
`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")
`
Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:
sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"
... or pass the quotes when using the macro:
`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")
`
Sorry, I misunderstood what you want to do. So if I understand you correctly this time around, the revised answer should work.
I tried this. Was unsuccessful. Shouldn't my macro be called foo(4) which is defined as: sourcetype="log-file-pub" $messagearg$ OR $messagearg$ OR $messagearg$ OR $messagerarg ??? This is based on the fact that I want my macro to be able to take 4 arguments being any 4 strings (error getting data etc) that I want to write in the search
You can build a custom dashboard that includes a form.
See developer documentation at http://www.splunk.com/base/Documentation/latest/Developer/FormIntro for more information on building forms.