Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Update Macro From Search

Thulasinathan_M
Contributor
‎09-13-2024 12:19 AM

Hi,

I've a case where I want to update/append the Macro with the results from lookup. I don't want to do this manually each time. So is there any way I could use a scheduled search and update macro if the lookup has any new values.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 03:15 AM

Convert your lookup so it has a pattern and name for the pattern e.g.

loglinepattern
Deprecated configuration detected in path Please update your settings to use the latest configuration options.*Deprecated configuration detected in path* Please update your settings to use the latest configuration options.*
Query execution time exceeded the threshold: seconds. Query: SELECT * FROM users WHERE last_login*Query execution time exceeded the threshold:*seconds. Query: SELECT * FROM users WHERE last_login*
Query execution time exceeded the threshold: seconds. Query: SELECT * FROM contacts WHERE contact_id*Query execution time exceeded the threshold:*seconds. Query: SELECT * FROM contacts WHERE contact_id*

Then add a lookup definition and use advanced option to set WILDCARD(pattern)

Now you can use lookup on your events to find out which type of loglines you have

 

| lookup patterns.csv pattern as _raw
| stats count by logline

 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 12:34 AM

If there were a way to update a macro, it would likely to have a ReST endpoint, but there doesn't appear to be one. Having said that, even if there were, this sounds like a risky thing to be doing anyway. Perhaps a better way would be to update a lookup or kv store with the results from your search so that the macro can use those i.e. keep the processing (defined by the macro) separate from the data (found by the search). What you seem to be asking for smacks of self-modifying code, which, while it may sound like a cool thing to do, is generally not a safe practice.

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-13-2024 01:10 AM

Thanks @ITWhisperer for your valuable info. My lookup has full of rex Patterns (1000s of patterns), but I don't want to dump this in a macro. That's why thought to update macro only if I start seeing new Patterns in the result event. If you could help me with this specific use-case it would be very much helpful. Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 01:29 AM

Does your look up have 1000s of patterns or your macro has 1000s of patterns or both?

Where do these patterns come from?

Please explain with a bit more detail and examples what your usecase is?

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-13-2024 01:37 AM

I have 1000s of rex Patterns which is already available in a lookup file, but I don't want to put everything into macro. So I thought to update macro only if I start seeing events match any of rex pattern in lookup but not in macro. So by doing this I have minimal rex pattern in macro (For now I've 232 rex patterns in macro).

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-13-2024 01:58 AM

Let's say below are few rex Patterns available in my lookup

| rex field=LogLine mode=sed "s|(Deprecated configuration detected in path).*( Please update your settings to use the latest configuration options.)|\1 \2|g"
| rex field=LogLine mode=sed "s|(Query execution time exceeded the threshold:).*(seconds. Query: SELECT * FROM users WHERE last_login).*|\1 \2|g"
| rex field=LogLine mode=sed "s|(Query execution time exceeded the threshold:).*(seconds. Query: SELECT * FROM contacts WHERE contact_id).*|\1 \2|g"


Below are the search results, I want to use above rex Pattern:

WARN  ConfigurationLoader - Deprecated configuration detected in path /xx/yy/zz. Please update your settings to use the latest configuration options.
WARN  ConfigurationLoader - Deprecated configuration detected in path /aa/dd/jkl. Please update your settings to use the latest configuration options.
WARN  QueryExecutor - Query execution time exceeded the threshold: 12.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.
WARN  QueryExecutor - Query execution time exceeded the threshold: 21.9 seconds. Query: SELECT * FROM contacts WHERE contact_id > '252’.

 
So I'll get something like below, if I do stats

LogLineCount
Deprecated configuration detected in path . Please update your settings to use the latest configuration options.2
Query execution time exceeded the threshold: seconds. Query: SELECT * FROM users WHERE last_login1
Query execution time exceeded the threshold: seconds. Query: SELECT * FROM contacts WHERE contact_id1
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 03:15 AM

Convert your lookup so it has a pattern and name for the pattern e.g.

loglinepattern
Deprecated configuration detected in path Please update your settings to use the latest configuration options.*Deprecated configuration detected in path* Please update your settings to use the latest configuration options.*
Query execution time exceeded the threshold: seconds. Query: SELECT * FROM users WHERE last_login*Query execution time exceeded the threshold:*seconds. Query: SELECT * FROM users WHERE last_login*
Query execution time exceeded the threshold: seconds. Query: SELECT * FROM contacts WHERE contact_id*Query execution time exceeded the threshold:*seconds. Query: SELECT * FROM contacts WHERE contact_id*

Then add a lookup definition and use advanced option to set WILDCARD(pattern)

Now you can use lookup on your events to find out which type of loglines you have

 

| lookup patterns.csv pattern as _raw
| stats count by logline

 

Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-13-2024 04:28 AM

Thank you, @ITWhisperer. It's working as expected 😊

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 01:57 AM

So let me see if I have understood:

You have 1000s of patterns in a lookup which you use against a set of events and if any of the events match against a pattern in the lookup you copy that pattern into a macro? And this is the process you want to automate?

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-13-2024 02:01 AM

Absolutely, correct. That's my intention and I'm bit worried if I would hit a Performance impact if I keep on updating the macro and it exceeds limit at some point. Is there any better approach I can deal with for this use-case. Happy to adapt to any better approaches.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...