Splunk Tutorial
Selected Reading
- Splunk - Discussion
- Splunk - Useful Resources
- Splunk - Quick Guide
- Splunk - Stats Command
- Splunk - Top Command
- Splunk - Sort Command
- Splunk - Monitoring Files
- Splunk - Custom Chart
- Splunk - Removing Data
- Splunk - Apps
- Splunk - Tags
- Splunk - Calculated Fields
- Splunk - Managing Indexes
- Splunk - Sparklines
- Splunk - Overlay chart
- Splunk - Basic Chart
- Splunk - Event Types
- Splunk - Search Macros
- Splunk - Subseraching
- Splunk - Knowledge Management
- Splunk - Schedules and Alerts
- Splunk - Lookups
- Splunk - Pivot & Datasets
- Splunk - Dashboards
- Splunk - Reports
- Splunk - Transforming commands
- Splunk - Search Optimization
- Splunk - Search Language
- Splunk - Sharing and Exporting
- Splunk - Time Range Search
- Splunk - Field Searching
- Splunk - Basic Searching
- Splunk - Source Types
- Splunk - Data Ingestion
- Splunk - Interfaces
- Splunk - Environment
- Splunk - Overview
- Splunk - Home
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Splunk - Search Macros
Splunk - Search Macros
Search macros are reusable blocks of Search Processing Language (SPL) that you can insert into other searches. They are used when you want to use the same search logic on different parts or values in the data set dynamically. They can take arguments dynamically and the search result will be updated as per the new values.
Macro Creation
To create the search macro, we go to the settings → Advanced Search → Search macros → Add new. This brings up the below screen where we start creating the macro.
Macro Scenario
We want to show various stats about the file size from the web_apppcations log. The stats are about max, min and avg value of the filesize using the bytes field in the log. The result should display these stats for each file psted in the log.
So here the type of the stats is dynamic in nature. The name of the stats function will be passed as an argument to the macro.
Defining the Macro
Next, we define the macro by setting various properties as shown in the below screen. The name of the macro contains (1), indicating that there is one argument to be passed into the macro when it is used in the search string. fun is the argument which will be passed on to the macro during execution in the search query.
Using the Macro
To use the macro, we make it a part of the search string. On passing different values for the argument we see different results as expected.
Consider finding the average size in bytes of the files. We pass avg as the argument and get the result as shown below. The macro has been kept under ` sign as part of the search query.
Similarly, if we want the maximum file size for each of the files present in the log, then we use max as the argument. The result is as shown below.
Advertisements