okay today we will discuss about plan
macros okay so his plan macros you can
think of it as a reusable component in
your Splunk search where suppose a
particular search portion if it is using
if you are using many times mmm then you
can put it in a macro so that you can
call that micro and the macro will be
replaced runtime with that search string
okay so macros are very very useful when
suppose you have many dashboards in your
application and in all this - but you
have some search which is running in all
the - boots right so in this case you
can implement that such portion in a
macro where you can just call that macro
instead of this whole search string in
your dashboards so in the future if you
want to do any changes in that search
logic you will just change into the into
one place in that in macro body okay so
so by implementing macro basically we
are achieving two things one is the
modularity of your code easily
maintaining of your code and as well as
your search string will be very much
smaller okay so there are there are
couple - two different types of macro we
generally deals with one is eval based
macro and there is no an evil based
macro so before we discuss those things
let me show you the data I have it here
so I have some people name and their
basic salary and and variable percent so
I'll show you to how to create evil
waste macro how to create non evil West
Metro and what are the differences
between them and and then how to call
macarons at a macro also we will try to
discuss that one okay so first let us
see how we can create a non evil macro
so now an evil macro and honorable macro
if you see functionality-wise both are
same so when we define a macro the macro
body you are giving this string right so
dynamically in the run time
macro will be definite will be replaced
by that macro body by spelling search
okay now when we talk about evil waste
macro it is expected that the macro is
returning a string when you use non evil
waste macro you can directly put the
search string inside the macro so let me
show you suppose I wanted to calculate
total salary based on this formula
called basic salary let me show you
basic salary plus basic into that
percentage variable percentage variable
percent okay so to do that to create any
macro from the Splunk uy this is how you
do it we'll go to settings we go to
advanced search okay from there if you
see there is a option called such Mac
rooms you go there you select your app
from there so I'll be creating this
matter in my tmdb app so I have selected
tmdb over here then new search macro
okay if you see the destination I've
already selected as TM GB I'll give it a
name let's say total salary okay so now
whether a macro is evil waste or not
determined by this check box if you
check this one it will be well waste
macro if you don't just check this one
it will be a non evil West macro so the
first we will discuss about non evil
missed macro so what I am trying to say
is when you what I said is whenever we
are creating a non evil West micro we
can directly give a search string over
there so my search team will be
something like this I will be creating a
new field called total salary so that's
why that evil total salary equals to now
I will be passing this to my basic
salary and variable percent to this
macro right row do that what I will do
I'll create a argument of this macro
in basic salary so in the argument
section you will be giving control see
these two things basic salary and
variable percent as two arguments as the
macro has two arguments it is mandatory
that in this name section you give how
many number of arguments you have in
your macro if it is one you have to give
one here okay now the formula is my
basic salary now this basic salary is my
input variable right so to access input
variable you access like this just like
it token okay basic salary plus my basic
salary into that variable percent again
as input I am accessing right then
divide it by 100 so this will be minus
macro body now there is a two options
for validation expression interrogation
error message I will show you in the
next macro see if I save it okay
so if you see the macro has been created
now if I call this macro over here so to
call a macro this is how you call there
is a tick mark if you see okay from your
keyboard then the macro name total
salary and it has two arguments right my
basic salary and my variable percent
then tick end now this basic salary is
corresponds to this basic salary and
variable person corresponds to this
variable person failed
now when you define the macro I have
given the same name as macro input you
can give any any input variable name
over here the same name you have to use
over here as well but when you pass a
macro pass this visix ready and variable
person to this macro you'll be giving
this field name only
so let us run it and see what's going on
if you see it has created a total salary
failed with this formal output 4000 plus
4000 into 15% is 4,600 right so it is
basically same as the run time what is
happening is something like this so if I
instead of total salary if I just gave
this one and instead of this token
variable I just give my flake name here
the output will be same variable percent
the output will be same so this is how
what is happening as well so run time
Splunk is replacing this macro body with
this variable inputs and then it is
running the query so ultimately this
squad is getting run okay so but the
thing is this this code if you put it in
a macro you can call that macro anybody
new such so that means that this code
portions will be reusable now okay now
let's see an example where we can use
this validation expression and
validation error message now a
validation expression is used when you
want to do some kind of validation on
your macro inputs okay so and validation
error message means when this input is
getting or this validation is getting
filled this error message will be
displayed over there so to do that what
I will do is I'll create another macro
okay so now let's say we have basic
salary and variable percent right let's
say we want to calculate a bonus
percentage with this formula called
variable percent variable percent plus
any any of the person any number let's
say seven percent or eight in a number
I'll provide inputs it will give me it
will add those two percentage value and
give me the bonus percent okay so to do
that I will just create that similar
macro name bonus
okay so the formula will be again it
will be non evil based okay eval bonus
equals two so my variable percent right
I have to provide as a input so I'll
giving input so let's say this time I
will rename this to something maybe so
I'll say dollar VP dollar then plus
another input I will be giving let's say
bonus input okay so this bonus I will be
adding here okay Nonna's so we have two
inputs that means we have to give two
over here now I'll add an expression now
I always want this bonus to be in number
okay do that i'll so this validation
expression has to be a boolean
expression or eval okay so if you saw my
previous video we we discussed about
various evil expressions right and some
of the expressions returns bully and the
strict like operator or in operator or
easy num operator which basically checks
whether a particular input is number or
not so you will be using is numb over
here on this bonus that means I am
checking whether whatever I am providing
as the input to this bonus variable
parameter whether it is number or not if
it is not number will I will give this
in this output error message bonus must
be and number okay
so let's save this macro okay now I will
call this macro here let it be my total
salary macro called as is if I just do
control see
okay here I'm calling my total salary so
to stick the output now after that I'll
be calling the bonus macro it's a
similar way tick macro named micro
inputs one of the inputs will be my
variable percent and another another
output may be let's say 8 percent I want
to add with the variable percent so what
will be output in this case it should
create a new field called bonus with 15
plus 8 20 plus 8 something like this
okay if you see you can create you can
access different different macros in
your whole search okay now let's say I
have provided a string here it says test
ok what is happening so if you provide
this thing here that validation is
getting failed we have added over here
is numb so that set is giving you this
error bonus must be a number so this is
how macro input validation works ok let
us continue now we will discuss about
how to create an eval macro so to do
that what we'll do is first let me show
you two things if you remember from my
previous video we have created a command
called gate churners right and that
common takes an input with the journal
ID and if we are not giving any general
idea giving star it will give you all
the journal titles right and also we
have a we have created a our we have
index our data into this main index
right so you have another data set
called main where we have we're having
this salary and this information just
now you are working with a data set so
suppose there is a requirement that
based on certain condition either I need
to go with this data set or I need to go
with this data set in this type of
scenario where dynamically you have to
determine which data set to work on or
dynamically
in which search string to which search
things were written that means to
assistant to work with eval macros are
coming into picture okay so because the
main concept behind evil macro is it has
to return a string so in that case how
we will create is like this let's say
new search macro I'll give a name call
gate channel or main index okay just
like the name just to show you the use
case of it so here what I will write I
will write it if or case statement
really mostly we light a key for case
statement for eval based macro so case
so that we can have different different
condition and based on the condition we
will be returning the search string but
ultimately if you see we are in the
start sitting only at the end of the day
so that Splunk will replace that macro
with that search string so i'm saying i
will provide argument here let's say
same same argument name let's say so
either i will provide gate channel or i
will provide main as my or argument
value okay i'll show you how how i
provide that one case i am saying my
input taller this one dollar is equals
to let us say gate channel okay as it is
within quotes remember that if this one
has to be quotes as well or when you are
calling you have to call with this with
course i prefer to be like this only so
that everything is in your inside your
macro only in that case the string I
will return is this kind get Jenna star
now you have to be very careful over
here when you dil Dil with a generating
command if you seek it generates a
generating comment right thats why this
has to be the first command in your
search string now for generating comment
when you run it if you see there is a
bar over here search bar right after
that only if I run this command without
this word nothing will come up
it requires this bar but when you put
this gate Jenner star this generating
command inside a macro so you put it
without the bar so that when you call
the macro you will call with bar then
macro name I will show you that one as
well but that's why I am giving without
the bar here this is this has to be very
careful with the generating comments
because if you put bar inside it will
not work now when my input is main ok in
that case I will return the string
called search index equals two main here
also another good thing is when you run
index equals two main from your search
prompt right you do not need to mention
search then index equals two main
because that is by default comes up but
when you use it in a macro or somewhere
else
you have to put it like this search then
index equals to me okay so this thing I
will be returning says my macro has one
input so I will be giving one here okay
validation we are not doing anything now
so let's save it okay this is our third
macro so get general or main see if I
run this macro now okay so as I said it
has a generating comment that's why I am
giving a bar over here then my take and
then my input let's say I will be giving
input s get general I want to know I
want to work with the data set to get
channel okay so if let's see okay
bracket this missing over here save now
if you see if I run this macro again it
is giving me same because sometimes it's
not you don't take the refreshed value
so what I will do in this case just copy
this code close it Danny taking such
Factory unknown search comma
and case to see what's going on okay it
has to be evil waste macro because it is
running a string now right so let's say
wait and let it is not okay now if you
see if I run this gate general macro so
it is giving me this data set where it
is running that gate general Starr
generating command and giving me this
result if I say main in this case it is
giving me this data set where I have
index my data so this is how you can
create a evil waste macro okay so now
macro has a diff separate permissions as
well if you see from this macro macro
list page you can and you can set the
permissions as well so currently I will
show you I will set this permission as
this upon't Li and read I will say
everyone and right let's say admin let's
do it for all the macros permission so
you have to be very careful with the
macro permissions as well otherwise any
unprivileged user will not be able to
run this macro and your dashboard will
not show up anything so read/write okay
now we have set the permissions of the
macro as well now let's see what's going
on at the background so I am in my
Splunk home I will go to a TC apps tmdb
F and I will go to my local folder if
you see whenever you creates a macro
it's creates a another Khan file called
macro scones I will open this file and
if you see all different macros we have
created its gate separate separate
stanza for that macro name and with all
the input numbers right and args is the
inputs of this macros wait for bonus if
you see here for bonus my arguments are
VPN bonus like two arguments those are
showing up here this
the macro definition this is the error
message you set it for this macro this
is the validation you have set it for
this macro and this is evil is telling
you whether this macro is well based or
not as our last macro get general or
main is evil ways that Troy is evil is
one for rest of the - macros easy well
is zero okay now you can you can call a
macro another inside another macro so to
do that let's do this exercise where we
have created these totals energy right
and also bonus
so inside total Cirelli we will try to
call this bonus one who do that I will
do one thing I will clone this total
celery macro no I like this let's let's
get a new one only it's a total salary
total salary
yv2
version - okay so what I will do it will
not be well based macro let's say my
previous will be there he well right so
it has two arguments basic salary and
variable percent right now I'll be
adding this bonus as well so bonus
requires another extra input called
bonus right so I will be adding this as
a extra input comma this so my total
macro inputs will be three basic salary
and variable pay will be he'll be used
here and variable pay and bonus will be
used in another evil statement which we
have which will be a calling in this
bonus macro right so in this case I will
be calling this bonus macro inside so
I'll say this one pipe then my bonus
macro bonus macro takes two arguments
one is variable percent and another is
bonus so variable percent I'll pass and
I'll pass this bonus as well so ideally
the behavior should be same as we have
seen before right so
done tick okay so now let's save it okay
so total sir I do so before before I do
that so let us run our macro so I'll
just copy paste that code portion here
right so I'll just copy paste this code
portion here
it's a macro total salary nan okay I
think total I am my macro is total 7
this mismatch parenthesis okay okay so
it has created this one in this new new
field in the new search field what I
will do is on after this one
I will be calling my total salary
version 2 macro okay what it is doing
the work of both of these 2 bonus and
total salary right so total salary
version - okay so my tick version 2
version 2 requires three arguments one
is my basic salary variable percent and
the similar person value I will gives 8
so that we can at least compare what's
the outputs so if I run this one see if
it is it is working in the same way
where it is getting this bonus field and
total salary and if you see the output
is same as well
15:22 we have given seven here okay
let's let's run it with seven only see
if you see fifteen twenty two twenty two
twenty seventeen ten seventy like this
okay so this is how you can call a macro
inside another macro as well so if you
see here by by by by this structure you
can achieve a very complex structure as
well and complex structure which which
is basically a useable component in
Splunk search query okay so this is how
you need to know basically to deal with
macros and macros are very useful in
Splunk because not only it it it gives
you the modularity approach but also
it's it's is give you the very shorter
search string and very readable course
as well ok see you in next video