Splunk Search

Search Macro

carlyleadmin
Contributor

Hi All,

i kind of already have this working but wondering what else can be done with this?what other approaches i can implement?

So,In order to simplify analysis I have been testing a search macro and I’m wondering of some of the features could be implemented in better ways in Splunk. It would be nice if we just inherently had these more “friendly” fields.

I created a Search macro named “SAP” which:
• Filters to only return where index like “stone*” to only show our logs

• Converts host name to environment (DEV, QA, UAT, PRODINT, PROD)
Available as a new field named “environment”

• Converts host name to application (FAM, KLM App,KLM Web)
Available as a new field named “application”

• Converts host name to friendlyhost (DEV FAM, DEV KLM App, DEV KLM Web, QA FAM, etc…)
Available as a new field named “friendlyhost”

one of the examples i use is
"ERROR" | SAP | timechart count by friendlyhost or by environment/application

this works fine, but i was wondering if there is a more elegant way of doing this.If i can build these “environment”, “application”, “friendlyhost” fields behind the scenes so i don’t need to use the search macro as the macro complicates the query a bit.

Thanks for all the help

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.

For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.

View solution in original post

yannK
Splunk Employee
Splunk Employee

Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.

For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.

carlyleadmin
Contributor

Thanks Yannk,i will look into lookups and maybe field aliases

0 Karma

carlyleadmin
Contributor

Thanks yannk.automated field extraction will not work for me.i have 14 servers with long ass names and when i want to bring up a report for all these environments i have to type every single one of those server names in my search.maybe i can create an eventtype for some of the environments.

Thanks

0 Karma

FrankVl
Ultra Champion

Your comment (which shouldn't have been posted as an answer) doesn't make too much sense to me.

The macro you described in your question only populates some additional fields, derived from the host field. That sounds like a perfect case to implement using automated extractions and/or lookups.

Why would implementing these conversions as automated lookups/extractions rather than using the macro mean you have to type every single servername into your search?

0 Karma

carlyleadmin
Contributor

i didn't mean to post my reply as an answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...