Splunk - Search Macros


Advertisements

Search macros are reusable blocks of Search Processing Language (SPL) that you can insert into other searches. They are used when you want to use the same search logic on different parts or values in the data set dynamically. They can take arguments dynamically and the search result will be updated as per the new values.

Macro Creation

To create the search macro, we go to the settings → Advanced Search → Search macros → Add new. This brings up the below screen where we start creating the macro.

Search Macro1

Macro Scenario

We want to show various stats about the file size from the web_applications log. The stats are about max, min and avg value of the filesize using the bytes field in the log. The result should display these stats for each file listed in the log.

So here the type of the stats is dynamic in nature. The name of the stats function will be passed as an argument to the macro.

Defining the Macro

Next, we define the macro by setting various properties as shown in the below screen. The name of the macro contains (1), indicating that there is one argument to be passed into the macro when it is used in the search string. fun is the argument which will be passed on to the macro during execution in the search query.

Search Macro2

Using the Macro

To use the macro, we make it a part of the search string. On passing different values for the argument we see different results as expected.

Consider finding the average size in bytes of the files. We pass avg as the argument and get the result as shown below. The macro has been kept under ` sign as part of the search query.

Search Macro3

Similarly, if we want the maximum file size for each of the files present in the log, then we use max as the argument. The result is as shown below.

Search Macro4
Advertisements