0:00:00.030,0:00:02.939
okay today we will discuss about plan

0:00:02.939,0:00:06.240
macros okay so his plan macros you can

0:00:06.240,0:00:09.090
think of it as a reusable component in

0:00:09.090,0:00:12.960
your Splunk search where suppose a

0:00:12.960,0:00:15.870
particular search portion if it is using

0:00:15.870,0:00:18.930
if you are using many times mmm then you

0:00:18.930,0:00:20.460
can put it in a macro so that you can

0:00:20.460,0:00:23.580
call that micro and the macro will be

0:00:23.580,0:00:26.310
replaced runtime with that search string

0:00:26.310,0:00:28.920
okay so macros are very very useful when

0:00:28.920,0:00:31.890
suppose you have many dashboards in your

0:00:31.890,0:00:34.590
application and in all this - but you

0:00:34.590,0:00:38.670
have some search which is running in all

0:00:38.670,0:00:41.610
the - boots right so in this case you

0:00:41.610,0:00:43.410
can implement that such portion in a

0:00:43.410,0:00:45.680
macro where you can just call that macro

0:00:45.680,0:00:47.850
instead of this whole search string in

0:00:47.850,0:00:50.370
your dashboards so in the future if you

0:00:50.370,0:00:52.440
want to do any changes in that search

0:00:52.440,0:00:55.140
logic you will just change into the into

0:00:55.140,0:00:58.530
one place in that in macro body okay so

0:00:58.530,0:01:01.350
so by implementing macro basically we

0:01:01.350,0:01:04.170
are achieving two things one is the

0:01:04.170,0:01:06.930
modularity of your code easily

0:01:06.930,0:01:09.630
maintaining of your code and as well as

0:01:09.630,0:01:11.250
your search string will be very much

0:01:11.250,0:01:15.720
smaller okay so there are there are

0:01:15.720,0:01:18.689
couple - two different types of macro we

0:01:18.689,0:01:20.580
generally deals with one is eval based

0:01:20.580,0:01:23.189
macro and there is no an evil based

0:01:23.189,0:01:26.400
macro so before we discuss those things

0:01:26.400,0:01:29.790
let me show you the data I have it here

0:01:29.790,0:01:32.909
so I have some people name and their

0:01:32.909,0:01:36.270
basic salary and and variable percent so

0:01:36.270,0:01:39.720
I'll show you to how to create evil

0:01:39.720,0:01:42.420
waste macro how to create non evil West

0:01:42.420,0:01:43.710
Metro and what are the differences

0:01:43.710,0:01:47.939
between them and and then how to call

0:01:47.939,0:01:49.860
macarons at a macro also we will try to

0:01:49.860,0:01:52.470
discuss that one okay so first let us

0:01:52.470,0:01:56.759
see how we can create a non evil macro

0:01:56.759,0:02:00.409
so now an evil macro and honorable macro

0:02:00.409,0:02:03.600
if you see functionality-wise both are

0:02:03.600,0:02:07.020
same so when we define a macro the macro

0:02:07.020,0:02:09.890
body you are giving this string right so

0:02:09.890,0:02:12.900
dynamically in the run time

0:02:12.900,0:02:15.670
macro will be definite will be replaced

0:02:15.670,0:02:18.160
by that macro body by spelling search

0:02:18.160,0:02:22.810
okay now when we talk about evil waste

0:02:22.810,0:02:26.500
macro it is expected that the macro is

0:02:26.500,0:02:29.890
returning a string when you use non evil

0:02:29.890,0:02:32.140
waste macro you can directly put the

0:02:32.140,0:02:34.210
search string inside the macro so let me

0:02:34.210,0:02:37.240
show you suppose I wanted to calculate

0:02:37.240,0:02:40.000
total salary based on this formula

0:02:40.000,0:02:43.240
called basic salary let me show you

0:02:43.240,0:02:50.340
basic salary plus basic into that

0:02:50.340,0:02:54.160
percentage variable percentage variable

0:02:54.160,0:02:58.390
percent okay so to do that to create any

0:02:58.390,0:03:01.180
macro from the Splunk uy this is how you

0:03:01.180,0:03:03.850
do it we'll go to settings we go to

0:03:03.850,0:03:08.170
advanced search okay from there if you

0:03:08.170,0:03:10.780
see there is a option called such Mac

0:03:10.780,0:03:13.270
rooms you go there you select your app

0:03:13.270,0:03:15.520
from there so I'll be creating this

0:03:15.520,0:03:17.800
matter in my tmdb app so I have selected

0:03:17.800,0:03:20.850
tmdb over here then new search macro

0:03:20.850,0:03:23.709
okay if you see the destination I've

0:03:23.709,0:03:26.410
already selected as TM GB I'll give it a

0:03:26.410,0:03:36.150
name let's say total salary okay so now

0:03:36.150,0:03:39.220
whether a macro is evil waste or not

0:03:39.220,0:03:41.200
determined by this check box if you

0:03:41.200,0:03:42.790
check this one it will be well waste

0:03:42.790,0:03:45.489
macro if you don't just check this one

0:03:45.489,0:03:48.220
it will be a non evil West macro so the

0:03:48.220,0:03:49.660
first we will discuss about non evil

0:03:49.660,0:03:51.730
missed macro so what I am trying to say

0:03:51.730,0:03:55.180
is when you what I said is whenever we

0:03:55.180,0:03:57.459
are creating a non evil West micro we

0:03:57.459,0:03:59.110
can directly give a search string over

0:03:59.110,0:04:01.270
there so my search team will be

0:04:01.270,0:04:03.160
something like this I will be creating a

0:04:03.160,0:04:05.890
new field called total salary so that's

0:04:05.890,0:04:13.510
why that evil total salary equals to now

0:04:13.510,0:04:17.380
I will be passing this to my basic

0:04:17.380,0:04:19.870
salary and variable percent to this

0:04:19.870,0:04:22.720
macro right row do that what I will do

0:04:22.720,0:04:26.080
I'll create a argument of this macro

0:04:26.080,0:04:28.300
in basic salary so in the argument

0:04:28.300,0:04:32.550
section you will be giving control see

0:04:32.550,0:04:35.710
these two things basic salary and

0:04:35.710,0:04:40.360
variable percent as two arguments as the

0:04:40.360,0:04:42.789
macro has two arguments it is mandatory

0:04:42.789,0:04:46.780
that in this name section you give how

0:04:46.780,0:04:48.819
many number of arguments you have in

0:04:48.819,0:04:50.830
your macro if it is one you have to give

0:04:50.830,0:04:55.629
one here okay now the formula is my

0:04:55.629,0:04:59.139
basic salary now this basic salary is my

0:04:59.139,0:05:03.009
input variable right so to access input

0:05:03.009,0:05:04.780
variable you access like this just like

0:05:04.780,0:05:11.770
it token okay basic salary plus my basic

0:05:11.770,0:05:21.159
salary into that variable percent again

0:05:21.159,0:05:26.319
as input I am accessing right then

0:05:26.319,0:05:29.849
divide it by 100 so this will be minus

0:05:29.849,0:05:33.759
macro body now there is a two options

0:05:33.759,0:05:35.229
for validation expression interrogation

0:05:35.229,0:05:36.580
error message I will show you in the

0:05:36.580,0:05:42.400
next macro see if I save it okay

0:05:42.400,0:05:44.909
so if you see the macro has been created

0:05:44.909,0:05:49.509
now if I call this macro over here so to

0:05:49.509,0:05:51.520
call a macro this is how you call there

0:05:51.520,0:05:54.400
is a tick mark if you see okay from your

0:05:54.400,0:06:01.060
keyboard then the macro name total

0:06:01.060,0:06:04.690
salary and it has two arguments right my

0:06:04.690,0:06:08.699
basic salary and my variable percent

0:06:08.699,0:06:13.150
then tick end now this basic salary is

0:06:13.150,0:06:15.129
corresponds to this basic salary and

0:06:15.129,0:06:16.719
variable person corresponds to this

0:06:16.719,0:06:18.069
variable person failed

0:06:18.069,0:06:21.279
now when you define the macro I have

0:06:21.279,0:06:23.050
given the same name as macro input you

0:06:23.050,0:06:26.080
can give any any input variable name

0:06:26.080,0:06:28.000
over here the same name you have to use

0:06:28.000,0:06:30.580
over here as well but when you pass a

0:06:30.580,0:06:33.759
macro pass this visix ready and variable

0:06:33.759,0:06:35.860
person to this macro you'll be giving

0:06:35.860,0:06:37.449
this field name only

0:06:37.449,0:06:40.270
so let us run it and see what's going on

0:06:40.270,0:06:43.889
if you see it has created a total salary

0:06:43.889,0:06:47.650
failed with this formal output 4000 plus

0:06:47.650,0:06:51.819
4000 into 15% is 4,600 right so it is

0:06:51.819,0:06:54.639
basically same as the run time what is

0:06:54.639,0:06:58.120
happening is something like this so if I

0:06:58.120,0:07:00.099
instead of total salary if I just gave

0:07:00.099,0:07:04.300
this one and instead of this token

0:07:04.300,0:07:07.960
variable I just give my flake name here

0:07:07.960,0:07:14.490
the output will be same variable percent

0:07:14.490,0:07:18.520
the output will be same so this is how

0:07:18.520,0:07:21.490
what is happening as well so run time

0:07:21.490,0:07:25.060
Splunk is replacing this macro body with

0:07:25.060,0:07:28.029
this variable inputs and then it is

0:07:28.029,0:07:29.710
running the query so ultimately this

0:07:29.710,0:07:32.740
squad is getting run okay so but the

0:07:32.740,0:07:34.960
thing is this this code if you put it in

0:07:34.960,0:07:36.909
a macro you can call that macro anybody

0:07:36.909,0:07:39.129
new such so that means that this code

0:07:39.129,0:07:42.490
portions will be reusable now okay now

0:07:42.490,0:07:46.149
let's see an example where we can use

0:07:46.149,0:07:47.680
this validation expression and

0:07:47.680,0:07:49.270
validation error message now a

0:07:49.270,0:07:51.699
validation expression is used when you

0:07:51.699,0:07:54.819
want to do some kind of validation on

0:07:54.819,0:08:00.279
your macro inputs okay so and validation

0:08:00.279,0:08:02.830
error message means when this input is

0:08:02.830,0:08:04.749
getting or this validation is getting

0:08:04.749,0:08:06.430
filled this error message will be

0:08:06.430,0:08:09.459
displayed over there so to do that what

0:08:09.459,0:08:14.639
I will do is I'll create another macro

0:08:14.639,0:08:20.110
okay so now let's say we have basic

0:08:20.110,0:08:22.569
salary and variable percent right let's

0:08:22.569,0:08:24.789
say we want to calculate a bonus

0:08:24.789,0:08:27.669
percentage with this formula called

0:08:27.669,0:08:32.349
variable percent variable percent plus

0:08:32.349,0:08:35.620
any any of the person any number let's

0:08:35.620,0:08:37.930
say seven percent or eight in a number

0:08:37.930,0:08:40.539
I'll provide inputs it will give me it

0:08:40.539,0:08:43.060
will add those two percentage value and

0:08:43.060,0:08:45.610
give me the bonus percent okay so to do

0:08:45.610,0:08:48.279
that I will just create that similar

0:08:48.279,0:08:52.110
macro name bonus

0:08:52.110,0:08:56.680
okay so the formula will be again it

0:08:56.680,0:09:06.029
will be non evil based okay eval bonus

0:09:07.860,0:09:13.839
equals two so my variable percent right

0:09:13.839,0:09:16.270
I have to provide as a input so I'll

0:09:16.270,0:09:18.790
giving input so let's say this time I

0:09:18.790,0:09:21.610
will rename this to something maybe so

0:09:21.610,0:09:27.810
I'll say dollar VP dollar then plus

0:09:27.810,0:09:30.580
another input I will be giving let's say

0:09:30.580,0:09:36.540
bonus input okay so this bonus I will be

0:09:36.540,0:09:42.190
adding here okay Nonna's so we have two

0:09:42.190,0:09:44.080
inputs that means we have to give two

0:09:44.080,0:09:47.440
over here now I'll add an expression now

0:09:47.440,0:09:50.260
I always want this bonus to be in number

0:09:50.260,0:09:53.589
okay do that i'll so this validation

0:09:53.589,0:09:55.690
expression has to be a boolean

0:09:55.690,0:09:59.079
expression or eval okay so if you saw my

0:09:59.079,0:10:01.209
previous video we we discussed about

0:10:01.209,0:10:04.390
various evil expressions right and some

0:10:04.390,0:10:06.160
of the expressions returns bully and the

0:10:06.160,0:10:08.800
strict like operator or in operator or

0:10:08.800,0:10:11.770
easy num operator which basically checks

0:10:11.770,0:10:15.220
whether a particular input is number or

0:10:15.220,0:10:17.230
not so you will be using is numb over

0:10:17.230,0:10:20.529
here on this bonus that means I am

0:10:20.529,0:10:23.290
checking whether whatever I am providing

0:10:23.290,0:10:25.380
as the input to this bonus variable

0:10:25.380,0:10:28.630
parameter whether it is number or not if

0:10:28.630,0:10:32.350
it is not number will I will give this

0:10:32.350,0:10:36.670
in this output error message bonus must

0:10:36.670,0:10:41.490
be and number okay

0:10:41.490,0:10:50.110
so let's save this macro okay now I will

0:10:50.110,0:10:56.950
call this macro here let it be my total

0:10:56.950,0:11:01.779
salary macro called as is if I just do

0:11:01.779,0:11:03.530
control see

0:11:03.530,0:11:06.530
okay here I'm calling my total salary so

0:11:06.530,0:11:08.930
to stick the output now after that I'll

0:11:08.930,0:11:14.930
be calling the bonus macro it's a

0:11:14.930,0:11:17.960
similar way tick macro named micro

0:11:17.960,0:11:19.760
inputs one of the inputs will be my

0:11:19.760,0:11:22.820
variable percent and another another

0:11:22.820,0:11:25.790
output may be let's say 8 percent I want

0:11:25.790,0:11:28.400
to add with the variable percent so what

0:11:28.400,0:11:30.770
will be output in this case it should

0:11:30.770,0:11:33.560
create a new field called bonus with 15

0:11:33.560,0:11:35.780
plus 8 20 plus 8 something like this

0:11:35.780,0:11:39.400
okay if you see you can create you can

0:11:39.400,0:11:41.870
access different different macros in

0:11:41.870,0:11:48.140
your whole search okay now let's say I

0:11:48.140,0:11:52.570
have provided a string here it says test

0:11:52.570,0:11:55.280
ok what is happening so if you provide

0:11:55.280,0:11:57.770
this thing here that validation is

0:11:57.770,0:11:59.660
getting failed we have added over here

0:11:59.660,0:12:02.450
is numb so that set is giving you this

0:12:02.450,0:12:05.510
error bonus must be a number so this is

0:12:05.510,0:12:10.250
how macro input validation works ok let

0:12:10.250,0:12:15.280
us continue now we will discuss about

0:12:15.280,0:12:18.830
how to create an eval macro so to do

0:12:18.830,0:12:22.520
that what we'll do is first let me show

0:12:22.520,0:12:24.920
you two things if you remember from my

0:12:24.920,0:12:28.220
previous video we have created a command

0:12:28.220,0:12:31.940
called gate churners right and that

0:12:31.940,0:12:33.800
common takes an input with the journal

0:12:33.800,0:12:36.410
ID and if we are not giving any general

0:12:36.410,0:12:38.780
idea giving star it will give you all

0:12:38.780,0:12:41.780
the journal titles right and also we

0:12:41.780,0:12:47.630
have a we have created a our we have

0:12:47.630,0:12:50.750
index our data into this main index

0:12:50.750,0:12:52.130
right so you have another data set

0:12:52.130,0:12:54.200
called main where we have we're having

0:12:54.200,0:12:56.270
this salary and this information just

0:12:56.270,0:12:58.520
now you are working with a data set so

0:12:58.520,0:13:01.000
suppose there is a requirement that

0:13:01.000,0:13:04.730
based on certain condition either I need

0:13:04.730,0:13:09.110
to go with this data set or I need to go

0:13:09.110,0:13:11.330
with this data set in this type of

0:13:11.330,0:13:13.730
scenario where dynamically you have to

0:13:13.730,0:13:15.980
determine which data set to work on or

0:13:15.980,0:13:17.329
dynamically

0:13:17.329,0:13:20.600
in which search string to which search

0:13:20.600,0:13:22.549
things were written that means to

0:13:22.549,0:13:25.100
assistant to work with eval macros are

0:13:25.100,0:13:28.489
coming into picture okay so because the

0:13:28.489,0:13:31.129
main concept behind evil macro is it has

0:13:31.129,0:13:34.279
to return a string so in that case how

0:13:34.279,0:13:36.410
we will create is like this let's say

0:13:36.410,0:13:39.529
new search macro I'll give a name call

0:13:39.529,0:13:46.579
gate channel or main index okay just

0:13:46.579,0:13:48.679
like the name just to show you the use

0:13:48.679,0:13:51.980
case of it so here what I will write I

0:13:51.980,0:13:53.899
will write it if or case statement

0:13:53.899,0:13:55.489
really mostly we light a key for case

0:13:55.489,0:13:59.329
statement for eval based macro so case

0:13:59.329,0:14:02.089
so that we can have different different

0:14:02.089,0:14:03.470
condition and based on the condition we

0:14:03.470,0:14:05.239
will be returning the search string but

0:14:05.239,0:14:07.220
ultimately if you see we are in the

0:14:07.220,0:14:09.019
start sitting only at the end of the day

0:14:09.019,0:14:11.029
so that Splunk will replace that macro

0:14:11.029,0:14:13.399
with that search string so i'm saying i

0:14:13.399,0:14:17.649
will provide argument here let's say

0:14:17.649,0:14:21.170
same same argument name let's say so

0:14:21.170,0:14:23.360
either i will provide gate channel or i

0:14:23.360,0:14:25.879
will provide main as my or argument

0:14:25.879,0:14:27.980
value okay i'll show you how how i

0:14:27.980,0:14:31.519
provide that one case i am saying my

0:14:31.519,0:14:37.669
input taller this one dollar is equals

0:14:37.669,0:14:42.860
to let us say gate channel okay as it is

0:14:42.860,0:14:46.639
within quotes remember that if this one

0:14:46.639,0:14:49.699
has to be quotes as well or when you are

0:14:49.699,0:14:51.559
calling you have to call with this with

0:14:51.559,0:14:53.839
course i prefer to be like this only so

0:14:53.839,0:14:55.610
that everything is in your inside your

0:14:55.610,0:14:58.699
macro only in that case the string I

0:14:58.699,0:15:04.999
will return is this kind get Jenna star

0:15:04.999,0:15:07.129
now you have to be very careful over

0:15:07.129,0:15:10.459
here when you dil Dil with a generating

0:15:10.459,0:15:11.869
command if you seek it generates a

0:15:11.869,0:15:13.610
generating comment right thats why this

0:15:13.610,0:15:15.019
has to be the first command in your

0:15:15.019,0:15:19.869
search string now for generating comment

0:15:19.869,0:15:22.549
when you run it if you see there is a

0:15:22.549,0:15:25.220
bar over here search bar right after

0:15:25.220,0:15:27.049
that only if I run this command without

0:15:27.049,0:15:29.810
this word nothing will come up

0:15:29.810,0:15:32.149
it requires this bar but when you put

0:15:32.149,0:15:35.480
this gate Jenner star this generating

0:15:35.480,0:15:38.959
command inside a macro so you put it

0:15:38.959,0:15:41.089
without the bar so that when you call

0:15:41.089,0:15:43.939
the macro you will call with bar then

0:15:43.939,0:15:45.319
macro name I will show you that one as

0:15:45.319,0:15:47.660
well but that's why I am giving without

0:15:47.660,0:15:50.540
the bar here this is this has to be very

0:15:50.540,0:15:53.110
careful with the generating comments

0:15:53.110,0:15:55.309
because if you put bar inside it will

0:15:55.309,0:16:01.069
not work now when my input is main ok in

0:16:01.069,0:16:04.579
that case I will return the string

0:16:04.579,0:16:10.309
called search index equals two main here

0:16:10.309,0:16:12.620
also another good thing is when you run

0:16:12.620,0:16:14.540
index equals two main from your search

0:16:14.540,0:16:16.670
prompt right you do not need to mention

0:16:16.670,0:16:18.680
search then index equals two main

0:16:18.680,0:16:21.829
because that is by default comes up but

0:16:21.829,0:16:23.899
when you use it in a macro or somewhere

0:16:23.899,0:16:24.230
else

0:16:24.230,0:16:27.110
you have to put it like this search then

0:16:27.110,0:16:31.160
index equals to me okay so this thing I

0:16:31.160,0:16:33.350
will be returning says my macro has one

0:16:33.350,0:16:37.069
input so I will be giving one here okay

0:16:37.069,0:16:39.230
validation we are not doing anything now

0:16:39.230,0:16:44.389
so let's save it okay this is our third

0:16:44.389,0:16:48.769
macro so get general or main see if I

0:16:48.769,0:16:53.750
run this macro now okay so as I said it

0:16:53.750,0:16:56.149
has a generating comment that's why I am

0:16:56.149,0:16:59.959
giving a bar over here then my take and

0:16:59.959,0:17:03.680
then my input let's say I will be giving

0:17:03.680,0:17:09.530
input s get general I want to know I

0:17:09.530,0:17:11.480
want to work with the data set to get

0:17:11.480,0:17:21.220
channel okay so if let's see okay

0:17:21.220,0:17:28.370
bracket this missing over here save now

0:17:28.370,0:17:30.020
if you see if I run this macro again it

0:17:30.020,0:17:31.640
is giving me same because sometimes it's

0:17:31.640,0:17:34.520
not you don't take the refreshed value

0:17:34.520,0:17:36.620
so what I will do in this case just copy

0:17:36.620,0:17:41.690
this code close it Danny taking such

0:17:41.690,0:17:43.340
Factory unknown search comma

0:17:43.340,0:17:55.850
and case to see what's going on okay it

0:17:55.850,0:17:58.280
has to be evil waste macro because it is

0:17:58.280,0:18:01.190
running a string now right so let's say

0:18:01.190,0:18:10.760
wait and let it is not okay now if you

0:18:10.760,0:18:13.910
see if I run this gate general macro so

0:18:13.910,0:18:15.410
it is giving me this data set where it

0:18:15.410,0:18:17.230
is running that gate general Starr

0:18:17.230,0:18:19.130
generating command and giving me this

0:18:19.130,0:18:23.510
result if I say main in this case it is

0:18:23.510,0:18:26.090
giving me this data set where I have

0:18:26.090,0:18:29.750
index my data so this is how you can

0:18:29.750,0:18:33.020
create a evil waste macro okay so now

0:18:33.020,0:18:36.770
macro has a diff separate permissions as

0:18:36.770,0:18:39.590
well if you see from this macro macro

0:18:39.590,0:18:44.090
list page you can and you can set the

0:18:44.090,0:18:46.430
permissions as well so currently I will

0:18:46.430,0:18:48.050
show you I will set this permission as

0:18:48.050,0:18:50.330
this upon't Li and read I will say

0:18:50.330,0:18:52.940
everyone and right let's say admin let's

0:18:52.940,0:18:57.380
do it for all the macros permission so

0:18:57.380,0:18:58.520
you have to be very careful with the

0:18:58.520,0:19:02.480
macro permissions as well otherwise any

0:19:02.480,0:19:04.520
unprivileged user will not be able to

0:19:04.520,0:19:07.100
run this macro and your dashboard will

0:19:07.100,0:19:11.890
not show up anything so read/write okay

0:19:11.890,0:19:14.330
now we have set the permissions of the

0:19:14.330,0:19:17.120
macro as well now let's see what's going

0:19:17.120,0:19:19.490
on at the background so I am in my

0:19:19.490,0:19:24.020
Splunk home I will go to a TC apps tmdb

0:19:24.020,0:19:26.990
F and I will go to my local folder if

0:19:26.990,0:19:28.970
you see whenever you creates a macro

0:19:28.970,0:19:31.220
it's creates a another Khan file called

0:19:31.220,0:19:34.100
macro scones I will open this file and

0:19:34.100,0:19:37.190
if you see all different macros we have

0:19:37.190,0:19:39.080
created its gate separate separate

0:19:39.080,0:19:43.040
stanza for that macro name and with all

0:19:43.040,0:19:45.920
the input numbers right and args is the

0:19:45.920,0:19:49.070
inputs of this macros wait for bonus if

0:19:49.070,0:19:52.820
you see here for bonus my arguments are

0:19:52.820,0:19:55.520
VPN bonus like two arguments those are

0:19:55.520,0:19:56.840
showing up here this

0:19:56.840,0:19:59.240
the macro definition this is the error

0:19:59.240,0:20:02.029
message you set it for this macro this

0:20:02.029,0:20:03.320
is the validation you have set it for

0:20:03.320,0:20:06.470
this macro and this is evil is telling

0:20:06.470,0:20:08.480
you whether this macro is well based or

0:20:08.480,0:20:10.909
not as our last macro get general or

0:20:10.909,0:20:13.789
main is evil ways that Troy is evil is

0:20:13.789,0:20:16.130
one for rest of the - macros easy well

0:20:16.130,0:20:21.080
is zero okay now you can you can call a

0:20:21.080,0:20:23.779
macro another inside another macro so to

0:20:23.779,0:20:26.690
do that let's do this exercise where we

0:20:26.690,0:20:28.490
have created these totals energy right

0:20:28.490,0:20:29.929
and also bonus

0:20:29.929,0:20:31.940
so inside total Cirelli we will try to

0:20:31.940,0:20:35.059
call this bonus one who do that I will

0:20:35.059,0:20:37.549
do one thing I will clone this total

0:20:37.549,0:20:40.309
celery macro no I like this let's let's

0:20:40.309,0:20:43.870
get a new one only it's a total salary

0:20:43.870,0:20:48.460
total salary

0:20:49.779,0:20:50.990
yv2

0:20:50.990,0:20:53.870
version - okay so what I will do it will

0:20:53.870,0:20:57.200
not be well based macro let's say my

0:20:57.200,0:21:01.850
previous will be there he well right so

0:21:01.850,0:21:06.200
it has two arguments basic salary and

0:21:06.200,0:21:11.149
variable percent right now I'll be

0:21:11.149,0:21:14.419
adding this bonus as well so bonus

0:21:14.419,0:21:16.279
requires another extra input called

0:21:16.279,0:21:19.460
bonus right so I will be adding this as

0:21:19.460,0:21:23.179
a extra input comma this so my total

0:21:23.179,0:21:27.020
macro inputs will be three basic salary

0:21:27.020,0:21:29.750
and variable pay will be he'll be used

0:21:29.750,0:21:33.020
here and variable pay and bonus will be

0:21:33.020,0:21:35.659
used in another evil statement which we

0:21:35.659,0:21:37.730
have which will be a calling in this

0:21:37.730,0:21:40.760
bonus macro right so in this case I will

0:21:40.760,0:21:44.360
be calling this bonus macro inside so

0:21:44.360,0:21:48.830
I'll say this one pipe then my bonus

0:21:48.830,0:21:51.549
macro bonus macro takes two arguments

0:21:51.549,0:21:54.830
one is variable percent and another is

0:21:54.830,0:21:59.659
bonus so variable percent I'll pass and

0:21:59.659,0:22:04.370
I'll pass this bonus as well so ideally

0:22:04.370,0:22:06.740
the behavior should be same as we have

0:22:06.740,0:22:10.530
seen before right so

0:22:10.530,0:22:18.750
done tick okay so now let's save it okay

0:22:18.750,0:22:21.690
so total sir I do so before before I do

0:22:21.690,0:22:27.030
that so let us run our macro so I'll

0:22:27.030,0:22:31.669
just copy paste that code portion here

0:22:31.669,0:22:35.850
right so I'll just copy paste this code

0:22:35.850,0:22:37.880
portion here

0:22:37.880,0:22:41.190
it's a macro total salary nan okay I

0:22:41.190,0:22:47.390
think total I am my macro is total 7

0:22:54.260,0:23:00.000
this mismatch parenthesis okay okay so

0:23:00.000,0:23:03.000
it has created this one in this new new

0:23:03.000,0:23:06.330
field in the new search field what I

0:23:06.330,0:23:09.510
will do is on after this one

0:23:09.510,0:23:13.020
I will be calling my total salary

0:23:13.020,0:23:16.020
version 2 macro okay what it is doing

0:23:16.020,0:23:18.480
the work of both of these 2 bonus and

0:23:18.480,0:23:20.880
total salary right so total salary

0:23:20.880,0:23:26.640
version - okay so my tick version 2

0:23:26.640,0:23:29.580
version 2 requires three arguments one

0:23:29.580,0:23:32.220
is my basic salary variable percent and

0:23:32.220,0:23:35.039
the similar person value I will gives 8

0:23:35.039,0:23:36.929
so that we can at least compare what's

0:23:36.929,0:23:41.340
the outputs so if I run this one see if

0:23:41.340,0:23:42.720
it is it is working in the same way

0:23:42.720,0:23:45.150
where it is getting this bonus field and

0:23:45.150,0:23:46.860
total salary and if you see the output

0:23:46.860,0:23:49.549
is same as well

0:23:49.549,0:23:53.700
15:22 we have given seven here okay

0:23:53.700,0:23:57.600
let's let's run it with seven only see

0:23:57.600,0:23:59.159
if you see fifteen twenty two twenty two

0:23:59.159,0:24:01.770
twenty seventeen ten seventy like this

0:24:01.770,0:24:05.610
okay so this is how you can call a macro

0:24:05.610,0:24:08.370
inside another macro as well so if you

0:24:08.370,0:24:11.940
see here by by by by this structure you

0:24:11.940,0:24:14.850
can achieve a very complex structure as

0:24:14.850,0:24:18.179
well and complex structure which which

0:24:18.179,0:24:20.250
is basically a useable component in

0:24:20.250,0:24:24.210
Splunk search query okay so this is how

0:24:24.210,0:24:26.520
you need to know basically to deal with

0:24:26.520,0:24:29.790
macros and macros are very useful in

0:24:29.790,0:24:32.760
Splunk because not only it it it gives

0:24:32.760,0:24:36.240
you the modularity approach but also

0:24:36.240,0:24:38.820
it's it's is give you the very shorter

0:24:38.820,0:24:41.070
search string and very readable course

0:24:41.070,0:24:45.350
as well ok see you in next video