Splunk Search
Highlighted

Search Macro Question

Motivator

Hey,

I have the following saved search in my Splunk instance which I saved as a search macro:

sourcetype="log-file-pub" "market data retrieval failed" OR "The request failed with HTTP status 503: Service Unavailable" OR "Error getting market data" OR "The request failed with HTTP status 403: Forbidden"

Is it possible to write a search macro with arguments which allows me to specify the strings (i.e. market data retrieval failed) that Splunk searches for in the above sourcetype?


The only part of the search which remains fixed is: sourcetype="log-file-pub"

The other strings (in between the OR's) change depending on what the user specifies.

Highlighted

Re: Search Macro Question

Communicator

You can build a custom dashboard that includes a form.

See developer documentation at http://www.splunk.com/base/Documentation/latest/Developer/FormIntro for more information on building forms.

0 Karma
Highlighted

Re: Search Macro Question

Splunk Employee
Splunk Employee

Take a look at this example showing how you can parameterize a search macro:

Example - Combine search macros and transactions

So try defining your macro 'foo(4)' like this:

sourcetype="log-file-pub" $msg1$ OR $msg2$ OR $msg3$ OR $msg4$

And remember to specify your arguments in the Arguments list:

msg1,msg2,msg3,msg4

Then reference the macro like this:

`foo("bar1","bar2","bar3","bar4")`

... or with your specified messages:

`foo("market data retrieval failed","The request failed with HTTP status 503: Service Unavailable","Error getting market data","The request failed with HTTP status 403: Forbidden")`

Also, if you want to preserve the literal quotations marks, then either define your macro with quotes around the args:

sourcetype="log-file-pub" "$msg1$" OR "$msg2$" OR "$msg3$" OR "$msg4$"

... or pass the quotes when using the macro:

`foo("\"bar1\"","\"bar2\"","\"bar3\"","\"bar4\"")`

View solution in original post

0 Karma
Highlighted

Re: Search Macro Question

Motivator

I tried this. Was unsuccessful. Shouldn't my macro be called foo(4) which is defined as: sourcetype="log-file-pub" $messagearg$ OR $messagearg$ OR $messagearg$ OR $messagerarg ??? This is based on the fact that I want my macro to be able to take 4 arguments being any 4 strings (error getting data etc) that I want to write in the search

0 Karma
Highlighted

Re: Search Macro Question

Splunk Employee
Splunk Employee

Sorry, I misunderstood what you want to do. So if I understand you correctly this time around, the revised answer should work.

0 Karma
Highlighted

Re: Search Macro Question

Splunk Employee
Splunk Employee

can you clarify, what exactly is to be parameterized. maybe if you provide two or three examples where the parameter is different. which of parts of the search string are fixed, and which need to change and how?

0 Karma
Highlighted

Re: Search Macro Question

Motivator

Hi gkanapathy, I edited my original question in relation to the things you have asked

0 Karma