Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- search with value from setup.xml
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a setup.xml and a myappsetup.conf all setup properly (lets make that assumption for now, still many bugs to iron out). From within myappsetup.conf, there is a field called order_transaction_min_count and I want to use this field in my searches.
For example:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<order_transaction_min_count
Is this correct? Or am I missing something here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:
# Add the definition
confMacro = {}
confMacro["definition"] = "10"
# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)
The resulting macros.conf should look something like (in local/macros.conf):
[order_transaction_min_count]
definition=10
Then, update your searches to use the macro:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`
Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks LukeMurphey
Actually, I have gone with another route. Instead of using macros, I wrote a custom command which reads the the configuration dictionary with:
splunk.clilib.cli_common.getConfStanza("myappconfig", "setupentity")
and also reading the first argument to my command using:
sys.argv[1]
I was able to extract the information i needed and perform the custom search within the script. so now, my final search command would look something like this:
search eventtype="Orders" | transaction fields="OrderNumber" | mycustomcommand order_transaction_min_count
Thanks for your reply anyways.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the past, I have achieved this functionality using macros. Just have your Python endpoint write out an entry in macros.conf:
# Add the definition
confMacro = {}
confMacro["definition"] = "10"
# Write out the conf file
self.writeConf("macros", "order_transaction_min_count", confMacro)
The resulting macros.conf should look something like (in local/macros.conf):
[order_transaction_min_count]
definition=10
Then, update your searches to use the macro:
search eventtype="Orders" | transaction fields="OrderNumber" | search count<`order_transaction_min_count`
Make sure to include a default value for the macro under the default directory (default/macros.conf) so that you can avoid a warning if the user did not override it with their own value.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
