Yes, a macro would work, but you'd obviously need to maintain the macro. You might find a better solution to be sucking in a lookup table using inputlookup . The solution would look something like this:
Create a lookup table, call it monitored_users.csv and put it in $SPLUNK_HOME/etc/system/lookups . Make the contents something like the example below
Update your dashboard to pull this lookup in via subsearch
Profit!
Example monitored_users.csv:
user_name
cartman
kenny
kyle
stan
butters
timmay
Example search for dashboard:
[ | inputlookup monitored_users.csv | fields user_name ] _the_rest_of_your_search_
The way this winds up working is that the subsearch's output gets interpolated into the main search similar to:
( user_name="cartman" ) OR ( user_name="kenny" ) OR ( user_name="kyle" ) OR
( user_name="stan" ) OR ( user_name="butters" ) OR ( user_name="timmay )
_the_rest_of_your_search_
The rules for this interpolation are governed by how subsearches work in conjunction with the format search command (which is called implicitly in your subsearch unless you call it explicitly)
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork
... View more
