Solved: Re: Search Macro

carlyleadmin · ‎01-24-2018

Hi All,

i kind of already have this working but wondering what else can be done with this?what other approaches i can implement?

So,In order to simplify analysis I have been testing a search macro and I’m wondering of some of the features could be implemented in better ways in Splunk. It would be nice if we just inherently had these more “friendly” fields.

I created a Search macro named “SAP” which:
• Filters to only return where index like “stone*” to only show our logs

• Converts host name to environment (DEV, QA, UAT, PRODINT, PROD)
Available as a new field named “environment”

• Converts host name to application (FAM, KLM App,KLM Web)
Available as a new field named “application”

• Converts host name to friendlyhost (DEV FAM, DEV KLM App, DEV KLM Web, QA FAM, etc…)
Available as a new field named “friendlyhost”

one of the examples i use is
"ERROR" | SAP | timechart count by friendlyhost or by environment/application

this works fine, but i was wondering if there is a more elegant way of doing this.If i can build these “environment”, “application”, “friendlyhost” fields behind the scenes so i don’t need to use the search macro as the macro complicates the query a bit.

Thanks for all the help

yannK · ‎01-24-2018

Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.

For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.

View solution in original post

yannK · ‎01-24-2018

Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.

For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.

carlyleadmin · ‎01-25-2018

Thanks Yannk,i will look into lookups and maybe field aliases

carlyleadmin · ‎01-25-2018

Thanks yannk.automated field extraction will not work for me.i have 14 servers with long ass names and when i want to bring up a report for all these environments i have to type every single one of those server names in my search.maybe i can create an eventtype for some of the environments.

Thanks

FrankVl · ‎01-25-2018

Your comment (which shouldn't have been posted as an answer) doesn't make too much sense to me.

The macro you described in your question only populates some additional fields, derived from the host field. That sounds like a perfect case to implement using automated extractions and/or lookups.

Why would implementing these conversions as automated lookups/extractions rather than using the macro mean you have to type every single servername into your search?

carlyleadmin · ‎01-25-2018

i didn't mean to post my reply as an answer.

Search Macro

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation