Hi all, I have created a custom search command that need some preformated input. To do so, I always run my command with the same splunk commands before : ...
| eval a=b+c
| stats count by a
| bin ...
| my_custom_command(count,a,b,c) Hence, i have created a macro to wrap all this code, so I only have to call my macro : ... | `my_macro(b,c)` The problem is because it is a macro, it does not have the description of the searchbnf.conf for "my_custom_command". So I would like to edit the code of "my_custom_command" to "embed" the splunk commands i always run (the stats, bin, eval connands) before running my own code. Is there a way to do so ? If no, is there a way to create a searchbnf for a macro ?
... View more
Thanks for your help, but these solutions cannot be applied to my case...
About method 1, the users need to perform historical searches (between this date time and this one, not just the last 24hours for example)
About method 2, I assume my users can easily forget what they read, and I dont want to be in the case where you ignore a message when you see it daily
The best mitigation I found for now is a custom dashboard where the user inputs the start date, select the search duration (1hour, 24 hours, etc), and then enter his query. The dashboard then specify the earliest and latest tags based on the user input, and then feed the user's query
... View more