- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: search with value from setup.xml
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a setup.xml and a myappsetup.conf all setup properly (lets make that assumption for now, still many bugs to iron out). From within myappsetup.conf, there is a field called order_transaction_min_count and I want to use this field in my searches.
For example:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<order_transaction_min_count
Is this correct? Or am I missing something here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:
# Add the definition
confMacro = {}
confMacro["definition"] = "10"
# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)
The resulting macros.conf should look something like (in local/macros.conf):
[order_transaction_min_count]
definition=10
Then, update your searches to use the macro:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`
Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks LukeMurphey
Actually, I have gone with another route. Instead of using macros, I wrote a custom command which reads the the configuration dictionary with:
splunk.clilib.cli_common.getConfStanza("myappconfig", "setupentity")
and also reading the first argument to my command using:
sys.argv[1]
I was able to extract the information i needed and perform the custom search within the script. so now, my final search command would look something like this:
search eventtype="Orders" | transaction fields="OrderNumber" | mycustomcommand order_transaction_min_count
Thanks for your reply anyways.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:
# Add the definition
confMacro = {}
confMacro["definition"] = "10"
# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)
The resulting macros.conf should look something like (in local/macros.conf):
[order_transaction_min_count]
definition=10
Then, update your searches to use the macro:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`
Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
