1 00:00:00,030 --> 00:00:02,939 okay today we will discuss about plan 2 00:00:02,939 --> 00:00:06,240 macros okay so his plan macros you can 3 00:00:06,240 --> 00:00:09,090 think of it as a reusable component in 4 00:00:09,090 --> 00:00:12,960 your Splunk search where suppose a 5 00:00:12,960 --> 00:00:15,870 particular search portion if it is using 6 00:00:15,870 --> 00:00:18,930 if you are using many times mmm then you 7 00:00:18,930 --> 00:00:20,460 can put it in a macro so that you can 8 00:00:20,460 --> 00:00:23,580 call that micro and the macro will be 9 00:00:23,580 --> 00:00:26,310 replaced runtime with that search string 10 00:00:26,310 --> 00:00:28,920 okay so macros are very very useful when 11 00:00:28,920 --> 00:00:31,890 suppose you have many dashboards in your 12 00:00:31,890 --> 00:00:34,590 application and in all this - but you 13 00:00:34,590 --> 00:00:38,670 have some search which is running in all 14 00:00:38,670 --> 00:00:41,610 the - boots right so in this case you 15 00:00:41,610 --> 00:00:43,410 can implement that such portion in a 16 00:00:43,410 --> 00:00:45,680 macro where you can just call that macro 17 00:00:45,680 --> 00:00:47,850 instead of this whole search string in 18 00:00:47,850 --> 00:00:50,370 your dashboards so in the future if you 19 00:00:50,370 --> 00:00:52,440 want to do any changes in that search 20 00:00:52,440 --> 00:00:55,140 logic you will just change into the into 21 00:00:55,140 --> 00:00:58,530 one place in that in macro body okay so 22 00:00:58,530 --> 00:01:01,350 so by implementing macro basically we 23 00:01:01,350 --> 00:01:04,170 are achieving two things one is the 24 00:01:04,170 --> 00:01:06,930 modularity of your code easily 25 00:01:06,930 --> 00:01:09,630 maintaining of your code and as well as 26 00:01:09,630 --> 00:01:11,250 your search string will be very much 27 00:01:11,250 --> 00:01:15,720 smaller okay so there are there are 28 00:01:15,720 --> 00:01:18,689 couple - two different types of macro we 29 00:01:18,689 --> 00:01:20,580 generally deals with one is eval based 30 00:01:20,580 --> 00:01:23,189 macro and there is no an evil based 31 00:01:23,189 --> 00:01:26,400 macro so before we discuss those things 32 00:01:26,400 --> 00:01:29,790 let me show you the data I have it here 33 00:01:29,790 --> 00:01:32,909 so I have some people name and their 34 00:01:32,909 --> 00:01:36,270 basic salary and and variable percent so 35 00:01:36,270 --> 00:01:39,720 I'll show you to how to create evil 36 00:01:39,720 --> 00:01:42,420 waste macro how to create non evil West 37 00:01:42,420 --> 00:01:43,710 Metro and what are the differences 38 00:01:43,710 --> 00:01:47,939 between them and and then how to call 39 00:01:47,939 --> 00:01:49,860 macarons at a macro also we will try to 40 00:01:49,860 --> 00:01:52,470 discuss that one okay so first let us 41 00:01:52,470 --> 00:01:56,759 see how we can create a non evil macro 42 00:01:56,759 --> 00:02:00,409 so now an evil macro and honorable macro 43 00:02:00,409 --> 00:02:03,600 if you see functionality-wise both are 44 00:02:03,600 --> 00:02:07,020 same so when we define a macro the macro 45 00:02:07,020 --> 00:02:09,890 body you are giving this string right so 46 00:02:09,890 --> 00:02:12,900 dynamically in the run time 47 00:02:12,900 --> 00:02:15,670 macro will be definite will be replaced 48 00:02:15,670 --> 00:02:18,160 by that macro body by spelling search 49 00:02:18,160 --> 00:02:22,810 okay now when we talk about evil waste 50 00:02:22,810 --> 00:02:26,500 macro it is expected that the macro is 51 00:02:26,500 --> 00:02:29,890 returning a string when you use non evil 52 00:02:29,890 --> 00:02:32,140 waste macro you can directly put the 53 00:02:32,140 --> 00:02:34,210 search string inside the macro so let me 54 00:02:34,210 --> 00:02:37,240 show you suppose I wanted to calculate 55 00:02:37,240 --> 00:02:40,000 total salary based on this formula 56 00:02:40,000 --> 00:02:43,240 called basic salary let me show you 57 00:02:43,240 --> 00:02:50,340 basic salary plus basic into that 58 00:02:50,340 --> 00:02:54,160 percentage variable percentage variable 59 00:02:54,160 --> 00:02:58,390 percent okay so to do that to create any 60 00:02:58,390 --> 00:03:01,180 macro from the Splunk uy this is how you 61 00:03:01,180 --> 00:03:03,850 do it we'll go to settings we go to 62 00:03:03,850 --> 00:03:08,170 advanced search okay from there if you 63 00:03:08,170 --> 00:03:10,780 see there is a option called such Mac 64 00:03:10,780 --> 00:03:13,270 rooms you go there you select your app 65 00:03:13,270 --> 00:03:15,520 from there so I'll be creating this 66 00:03:15,520 --> 00:03:17,800 matter in my tmdb app so I have selected 67 00:03:17,800 --> 00:03:20,850 tmdb over here then new search macro 68 00:03:20,850 --> 00:03:23,709 okay if you see the destination I've 69 00:03:23,709 --> 00:03:26,410 already selected as TM GB I'll give it a 70 00:03:26,410 --> 00:03:36,150 name let's say total salary okay so now 71 00:03:36,150 --> 00:03:39,220 whether a macro is evil waste or not 72 00:03:39,220 --> 00:03:41,200 determined by this check box if you 73 00:03:41,200 --> 00:03:42,790 check this one it will be well waste 74 00:03:42,790 --> 00:03:45,489 macro if you don't just check this one 75 00:03:45,489 --> 00:03:48,220 it will be a non evil West macro so the 76 00:03:48,220 --> 00:03:49,660 first we will discuss about non evil 77 00:03:49,660 --> 00:03:51,730 missed macro so what I am trying to say 78 00:03:51,730 --> 00:03:55,180 is when you what I said is whenever we 79 00:03:55,180 --> 00:03:57,459 are creating a non evil West micro we 80 00:03:57,459 --> 00:03:59,110 can directly give a search string over 81 00:03:59,110 --> 00:04:01,270 there so my search team will be 82 00:04:01,270 --> 00:04:03,160 something like this I will be creating a 83 00:04:03,160 --> 00:04:05,890 new field called total salary so that's 84 00:04:05,890 --> 00:04:13,510 why that evil total salary equals to now 85 00:04:13,510 --> 00:04:17,380 I will be passing this to my basic 86 00:04:17,380 --> 00:04:19,870 salary and variable percent to this 87 00:04:19,870 --> 00:04:22,720 macro right row do that what I will do 88 00:04:22,720 --> 00:04:26,080 I'll create a argument of this macro 89 00:04:26,080 --> 00:04:28,300 in basic salary so in the argument 90 00:04:28,300 --> 00:04:32,550 section you will be giving control see 91 00:04:32,550 --> 00:04:35,710 these two things basic salary and 92 00:04:35,710 --> 00:04:40,360 variable percent as two arguments as the 93 00:04:40,360 --> 00:04:42,789 macro has two arguments it is mandatory 94 00:04:42,789 --> 00:04:46,780 that in this name section you give how 95 00:04:46,780 --> 00:04:48,819 many number of arguments you have in 96 00:04:48,819 --> 00:04:50,830 your macro if it is one you have to give 97 00:04:50,830 --> 00:04:55,629 one here okay now the formula is my 98 00:04:55,629 --> 00:04:59,139 basic salary now this basic salary is my 99 00:04:59,139 --> 00:05:03,009 input variable right so to access input 100 00:05:03,009 --> 00:05:04,780 variable you access like this just like 101 00:05:04,780 --> 00:05:11,770 it token okay basic salary plus my basic 102 00:05:11,770 --> 00:05:21,159 salary into that variable percent again 103 00:05:21,159 --> 00:05:26,319 as input I am accessing right then 104 00:05:26,319 --> 00:05:29,849 divide it by 100 so this will be minus 105 00:05:29,849 --> 00:05:33,759 macro body now there is a two options 106 00:05:33,759 --> 00:05:35,229 for validation expression interrogation 107 00:05:35,229 --> 00:05:36,580 error message I will show you in the 108 00:05:36,580 --> 00:05:42,400 next macro see if I save it okay 109 00:05:42,400 --> 00:05:44,909 so if you see the macro has been created 110 00:05:44,909 --> 00:05:49,509 now if I call this macro over here so to 111 00:05:49,509 --> 00:05:51,520 call a macro this is how you call there 112 00:05:51,520 --> 00:05:54,400 is a tick mark if you see okay from your 113 00:05:54,400 --> 00:06:01,060 keyboard then the macro name total 114 00:06:01,060 --> 00:06:04,690 salary and it has two arguments right my 115 00:06:04,690 --> 00:06:08,699 basic salary and my variable percent 116 00:06:08,699 --> 00:06:13,150 then tick end now this basic salary is 117 00:06:13,150 --> 00:06:15,129 corresponds to this basic salary and 118 00:06:15,129 --> 00:06:16,719 variable person corresponds to this 119 00:06:16,719 --> 00:06:18,069 variable person failed 120 00:06:18,069 --> 00:06:21,279 now when you define the macro I have 121 00:06:21,279 --> 00:06:23,050 given the same name as macro input you 122 00:06:23,050 --> 00:06:26,080 can give any any input variable name 123 00:06:26,080 --> 00:06:28,000 over here the same name you have to use 124 00:06:28,000 --> 00:06:30,580 over here as well but when you pass a 125 00:06:30,580 --> 00:06:33,759 macro pass this visix ready and variable 126 00:06:33,759 --> 00:06:35,860 person to this macro you'll be giving 127 00:06:35,860 --> 00:06:37,449 this field name only 128 00:06:37,449 --> 00:06:40,270 so let us run it and see what's going on 129 00:06:40,270 --> 00:06:43,889 if you see it has created a total salary 130 00:06:43,889 --> 00:06:47,650 failed with this formal output 4000 plus 131 00:06:47,650 --> 00:06:51,819 4000 into 15% is 4,600 right so it is 132 00:06:51,819 --> 00:06:54,639 basically same as the run time what is 133 00:06:54,639 --> 00:06:58,120 happening is something like this so if I 134 00:06:58,120 --> 00:07:00,099 instead of total salary if I just gave 135 00:07:00,099 --> 00:07:04,300 this one and instead of this token 136 00:07:04,300 --> 00:07:07,960 variable I just give my flake name here 137 00:07:07,960 --> 00:07:14,490 the output will be same variable percent 138 00:07:14,490 --> 00:07:18,520 the output will be same so this is how 139 00:07:18,520 --> 00:07:21,490 what is happening as well so run time 140 00:07:21,490 --> 00:07:25,060 Splunk is replacing this macro body with 141 00:07:25,060 --> 00:07:28,029 this variable inputs and then it is 142 00:07:28,029 --> 00:07:29,710 running the query so ultimately this 143 00:07:29,710 --> 00:07:32,740 squad is getting run okay so but the 144 00:07:32,740 --> 00:07:34,960 thing is this this code if you put it in 145 00:07:34,960 --> 00:07:36,909 a macro you can call that macro anybody 146 00:07:36,909 --> 00:07:39,129 new such so that means that this code 147 00:07:39,129 --> 00:07:42,490 portions will be reusable now okay now 148 00:07:42,490 --> 00:07:46,149 let's see an example where we can use 149 00:07:46,149 --> 00:07:47,680 this validation expression and 150 00:07:47,680 --> 00:07:49,270 validation error message now a 151 00:07:49,270 --> 00:07:51,699 validation expression is used when you 152 00:07:51,699 --> 00:07:54,819 want to do some kind of validation on 153 00:07:54,819 --> 00:08:00,279 your macro inputs okay so and validation 154 00:08:00,279 --> 00:08:02,830 error message means when this input is 155 00:08:02,830 --> 00:08:04,749 getting or this validation is getting 156 00:08:04,749 --> 00:08:06,430 filled this error message will be 157 00:08:06,430 --> 00:08:09,459 displayed over there so to do that what 158 00:08:09,459 --> 00:08:14,639 I will do is I'll create another macro 159 00:08:14,639 --> 00:08:20,110 okay so now let's say we have basic 160 00:08:20,110 --> 00:08:22,569 salary and variable percent right let's 161 00:08:22,569 --> 00:08:24,789 say we want to calculate a bonus 162 00:08:24,789 --> 00:08:27,669 percentage with this formula called 163 00:08:27,669 --> 00:08:32,349 variable percent variable percent plus 164 00:08:32,349 --> 00:08:35,620 any any of the person any number let's 165 00:08:35,620 --> 00:08:37,930 say seven percent or eight in a number 166 00:08:37,930 --> 00:08:40,539 I'll provide inputs it will give me it 167 00:08:40,539 --> 00:08:43,060 will add those two percentage value and 168 00:08:43,060 --> 00:08:45,610 give me the bonus percent okay so to do 169 00:08:45,610 --> 00:08:48,279 that I will just create that similar 170 00:08:48,279 --> 00:08:52,110 macro name bonus 171 00:08:52,110 --> 00:08:56,680 okay so the formula will be again it 172 00:08:56,680 --> 00:09:06,029 will be non evil based okay eval bonus 173 00:09:07,860 --> 00:09:13,839 equals two so my variable percent right 174 00:09:13,839 --> 00:09:16,270 I have to provide as a input so I'll 175 00:09:16,270 --> 00:09:18,790 giving input so let's say this time I 176 00:09:18,790 --> 00:09:21,610 will rename this to something maybe so 177 00:09:21,610 --> 00:09:27,810 I'll say dollar VP dollar then plus 178 00:09:27,810 --> 00:09:30,580 another input I will be giving let's say 179 00:09:30,580 --> 00:09:36,540 bonus input okay so this bonus I will be 180 00:09:36,540 --> 00:09:42,190 adding here okay Nonna's so we have two 181 00:09:42,190 --> 00:09:44,080 inputs that means we have to give two 182 00:09:44,080 --> 00:09:47,440 over here now I'll add an expression now 183 00:09:47,440 --> 00:09:50,260 I always want this bonus to be in number 184 00:09:50,260 --> 00:09:53,589 okay do that i'll so this validation 185 00:09:53,589 --> 00:09:55,690 expression has to be a boolean 186 00:09:55,690 --> 00:09:59,079 expression or eval okay so if you saw my 187 00:09:59,079 --> 00:10:01,209 previous video we we discussed about 188 00:10:01,209 --> 00:10:04,390 various evil expressions right and some 189 00:10:04,390 --> 00:10:06,160 of the expressions returns bully and the 190 00:10:06,160 --> 00:10:08,800 strict like operator or in operator or 191 00:10:08,800 --> 00:10:11,770 easy num operator which basically checks 192 00:10:11,770 --> 00:10:15,220 whether a particular input is number or 193 00:10:15,220 --> 00:10:17,230 not so you will be using is numb over 194 00:10:17,230 --> 00:10:20,529 here on this bonus that means I am 195 00:10:20,529 --> 00:10:23,290 checking whether whatever I am providing 196 00:10:23,290 --> 00:10:25,380 as the input to this bonus variable 197 00:10:25,380 --> 00:10:28,630 parameter whether it is number or not if 198 00:10:28,630 --> 00:10:32,350 it is not number will I will give this 199 00:10:32,350 --> 00:10:36,670 in this output error message bonus must 200 00:10:36,670 --> 00:10:41,490 be and number okay 201 00:10:41,490 --> 00:10:50,110 so let's save this macro okay now I will 202 00:10:50,110 --> 00:10:56,950 call this macro here let it be my total 203 00:10:56,950 --> 00:11:01,779 salary macro called as is if I just do 204 00:11:01,779 --> 00:11:03,530 control see 205 00:11:03,530 --> 00:11:06,530 okay here I'm calling my total salary so 206 00:11:06,530 --> 00:11:08,930 to stick the output now after that I'll 207 00:11:08,930 --> 00:11:14,930 be calling the bonus macro it's a 208 00:11:14,930 --> 00:11:17,960 similar way tick macro named micro 209 00:11:17,960 --> 00:11:19,760 inputs one of the inputs will be my 210 00:11:19,760 --> 00:11:22,820 variable percent and another another 211 00:11:22,820 --> 00:11:25,790 output may be let's say 8 percent I want 212 00:11:25,790 --> 00:11:28,400 to add with the variable percent so what 213 00:11:28,400 --> 00:11:30,770 will be output in this case it should 214 00:11:30,770 --> 00:11:33,560 create a new field called bonus with 15 215 00:11:33,560 --> 00:11:35,780 plus 8 20 plus 8 something like this 216 00:11:35,780 --> 00:11:39,400 okay if you see you can create you can 217 00:11:39,400 --> 00:11:41,870 access different different macros in 218 00:11:41,870 --> 00:11:48,140 your whole search okay now let's say I 219 00:11:48,140 --> 00:11:52,570 have provided a string here it says test 220 00:11:52,570 --> 00:11:55,280 ok what is happening so if you provide 221 00:11:55,280 --> 00:11:57,770 this thing here that validation is 222 00:11:57,770 --> 00:11:59,660 getting failed we have added over here 223 00:11:59,660 --> 00:12:02,450 is numb so that set is giving you this 224 00:12:02,450 --> 00:12:05,510 error bonus must be a number so this is 225 00:12:05,510 --> 00:12:10,250 how macro input validation works ok let 226 00:12:10,250 --> 00:12:15,280 us continue now we will discuss about 227 00:12:15,280 --> 00:12:18,830 how to create an eval macro so to do 228 00:12:18,830 --> 00:12:22,520 that what we'll do is first let me show 229 00:12:22,520 --> 00:12:24,920 you two things if you remember from my 230 00:12:24,920 --> 00:12:28,220 previous video we have created a command 231 00:12:28,220 --> 00:12:31,940 called gate churners right and that 232 00:12:31,940 --> 00:12:33,800 common takes an input with the journal 233 00:12:33,800 --> 00:12:36,410 ID and if we are not giving any general 234 00:12:36,410 --> 00:12:38,780 idea giving star it will give you all 235 00:12:38,780 --> 00:12:41,780 the journal titles right and also we 236 00:12:41,780 --> 00:12:47,630 have a we have created a our we have 237 00:12:47,630 --> 00:12:50,750 index our data into this main index 238 00:12:50,750 --> 00:12:52,130 right so you have another data set 239 00:12:52,130 --> 00:12:54,200 called main where we have we're having 240 00:12:54,200 --> 00:12:56,270 this salary and this information just 241 00:12:56,270 --> 00:12:58,520 now you are working with a data set so 242 00:12:58,520 --> 00:13:01,000 suppose there is a requirement that 243 00:13:01,000 --> 00:13:04,730 based on certain condition either I need 244 00:13:04,730 --> 00:13:09,110 to go with this data set or I need to go 245 00:13:09,110 --> 00:13:11,330 with this data set in this type of 246 00:13:11,330 --> 00:13:13,730 scenario where dynamically you have to 247 00:13:13,730 --> 00:13:15,980 determine which data set to work on or 248 00:13:15,980 --> 00:13:17,329 dynamically 249 00:13:17,329 --> 00:13:20,600 in which search string to which search 250 00:13:20,600 --> 00:13:22,549 things were written that means to 251 00:13:22,549 --> 00:13:25,100 assistant to work with eval macros are 252 00:13:25,100 --> 00:13:28,489 coming into picture okay so because the 253 00:13:28,489 --> 00:13:31,129 main concept behind evil macro is it has 254 00:13:31,129 --> 00:13:34,279 to return a string so in that case how 255 00:13:34,279 --> 00:13:36,410 we will create is like this let's say 256 00:13:36,410 --> 00:13:39,529 new search macro I'll give a name call 257 00:13:39,529 --> 00:13:46,579 gate channel or main index okay just 258 00:13:46,579 --> 00:13:48,679 like the name just to show you the use 259 00:13:48,679 --> 00:13:51,980 case of it so here what I will write I 260 00:13:51,980 --> 00:13:53,899 will write it if or case statement 261 00:13:53,899 --> 00:13:55,489 really mostly we light a key for case 262 00:13:55,489 --> 00:13:59,329 statement for eval based macro so case 263 00:13:59,329 --> 00:14:02,089 so that we can have different different 264 00:14:02,089 --> 00:14:03,470 condition and based on the condition we 265 00:14:03,470 --> 00:14:05,239 will be returning the search string but 266 00:14:05,239 --> 00:14:07,220 ultimately if you see we are in the 267 00:14:07,220 --> 00:14:09,019 start sitting only at the end of the day 268 00:14:09,019 --> 00:14:11,029 so that Splunk will replace that macro 269 00:14:11,029 --> 00:14:13,399 with that search string so i'm saying i 270 00:14:13,399 --> 00:14:17,649 will provide argument here let's say 271 00:14:17,649 --> 00:14:21,170 same same argument name let's say so 272 00:14:21,170 --> 00:14:23,360 either i will provide gate channel or i 273 00:14:23,360 --> 00:14:25,879 will provide main as my or argument 274 00:14:25,879 --> 00:14:27,980 value okay i'll show you how how i 275 00:14:27,980 --> 00:14:31,519 provide that one case i am saying my 276 00:14:31,519 --> 00:14:37,669 input taller this one dollar is equals 277 00:14:37,669 --> 00:14:42,860 to let us say gate channel okay as it is 278 00:14:42,860 --> 00:14:46,639 within quotes remember that if this one 279 00:14:46,639 --> 00:14:49,699 has to be quotes as well or when you are 280 00:14:49,699 --> 00:14:51,559 calling you have to call with this with 281 00:14:51,559 --> 00:14:53,839 course i prefer to be like this only so 282 00:14:53,839 --> 00:14:55,610 that everything is in your inside your 283 00:14:55,610 --> 00:14:58,699 macro only in that case the string I 284 00:14:58,699 --> 00:15:04,999 will return is this kind get Jenna star 285 00:15:04,999 --> 00:15:07,129 now you have to be very careful over 286 00:15:07,129 --> 00:15:10,459 here when you dil Dil with a generating 287 00:15:10,459 --> 00:15:11,869 command if you seek it generates a 288 00:15:11,869 --> 00:15:13,610 generating comment right thats why this 289 00:15:13,610 --> 00:15:15,019 has to be the first command in your 290 00:15:15,019 --> 00:15:19,869 search string now for generating comment 291 00:15:19,869 --> 00:15:22,549 when you run it if you see there is a 292 00:15:22,549 --> 00:15:25,220 bar over here search bar right after 293 00:15:25,220 --> 00:15:27,049 that only if I run this command without 294 00:15:27,049 --> 00:15:29,810 this word nothing will come up 295 00:15:29,810 --> 00:15:32,149 it requires this bar but when you put 296 00:15:32,149 --> 00:15:35,480 this gate Jenner star this generating 297 00:15:35,480 --> 00:15:38,959 command inside a macro so you put it 298 00:15:38,959 --> 00:15:41,089 without the bar so that when you call 299 00:15:41,089 --> 00:15:43,939 the macro you will call with bar then 300 00:15:43,939 --> 00:15:45,319 macro name I will show you that one as 301 00:15:45,319 --> 00:15:47,660 well but that's why I am giving without 302 00:15:47,660 --> 00:15:50,540 the bar here this is this has to be very 303 00:15:50,540 --> 00:15:53,110 careful with the generating comments 304 00:15:53,110 --> 00:15:55,309 because if you put bar inside it will 305 00:15:55,309 --> 00:16:01,069 not work now when my input is main ok in 306 00:16:01,069 --> 00:16:04,579 that case I will return the string 307 00:16:04,579 --> 00:16:10,309 called search index equals two main here 308 00:16:10,309 --> 00:16:12,620 also another good thing is when you run 309 00:16:12,620 --> 00:16:14,540 index equals two main from your search 310 00:16:14,540 --> 00:16:16,670 prompt right you do not need to mention 311 00:16:16,670 --> 00:16:18,680 search then index equals two main 312 00:16:18,680 --> 00:16:21,829 because that is by default comes up but 313 00:16:21,829 --> 00:16:23,899 when you use it in a macro or somewhere 314 00:16:23,899 --> 00:16:24,230 else 315 00:16:24,230 --> 00:16:27,110 you have to put it like this search then 316 00:16:27,110 --> 00:16:31,160 index equals to me okay so this thing I 317 00:16:31,160 --> 00:16:33,350 will be returning says my macro has one 318 00:16:33,350 --> 00:16:37,069 input so I will be giving one here okay 319 00:16:37,069 --> 00:16:39,230 validation we are not doing anything now 320 00:16:39,230 --> 00:16:44,389 so let's save it okay this is our third 321 00:16:44,389 --> 00:16:48,769 macro so get general or main see if I 322 00:16:48,769 --> 00:16:53,750 run this macro now okay so as I said it 323 00:16:53,750 --> 00:16:56,149 has a generating comment that's why I am 324 00:16:56,149 --> 00:16:59,959 giving a bar over here then my take and 325 00:16:59,959 --> 00:17:03,680 then my input let's say I will be giving 326 00:17:03,680 --> 00:17:09,530 input s get general I want to know I 327 00:17:09,530 --> 00:17:11,480 want to work with the data set to get 328 00:17:11,480 --> 00:17:21,220 channel okay so if let's see okay 329 00:17:21,220 --> 00:17:28,370 bracket this missing over here save now 330 00:17:28,370 --> 00:17:30,020 if you see if I run this macro again it 331 00:17:30,020 --> 00:17:31,640 is giving me same because sometimes it's 332 00:17:31,640 --> 00:17:34,520 not you don't take the refreshed value 333 00:17:34,520 --> 00:17:36,620 so what I will do in this case just copy 334 00:17:36,620 --> 00:17:41,690 this code close it Danny taking such 335 00:17:41,690 --> 00:17:43,340 Factory unknown search comma 336 00:17:43,340 --> 00:17:55,850 and case to see what's going on okay it 337 00:17:55,850 --> 00:17:58,280 has to be evil waste macro because it is 338 00:17:58,280 --> 00:18:01,190 running a string now right so let's say 339 00:18:01,190 --> 00:18:10,760 wait and let it is not okay now if you 340 00:18:10,760 --> 00:18:13,910 see if I run this gate general macro so 341 00:18:13,910 --> 00:18:15,410 it is giving me this data set where it 342 00:18:15,410 --> 00:18:17,230 is running that gate general Starr 343 00:18:17,230 --> 00:18:19,130 generating command and giving me this 344 00:18:19,130 --> 00:18:23,510 result if I say main in this case it is 345 00:18:23,510 --> 00:18:26,090 giving me this data set where I have 346 00:18:26,090 --> 00:18:29,750 index my data so this is how you can 347 00:18:29,750 --> 00:18:33,020 create a evil waste macro okay so now 348 00:18:33,020 --> 00:18:36,770 macro has a diff separate permissions as 349 00:18:36,770 --> 00:18:39,590 well if you see from this macro macro 350 00:18:39,590 --> 00:18:44,090 list page you can and you can set the 351 00:18:44,090 --> 00:18:46,430 permissions as well so currently I will 352 00:18:46,430 --> 00:18:48,050 show you I will set this permission as 353 00:18:48,050 --> 00:18:50,330 this upon't Li and read I will say 354 00:18:50,330 --> 00:18:52,940 everyone and right let's say admin let's 355 00:18:52,940 --> 00:18:57,380 do it for all the macros permission so 356 00:18:57,380 --> 00:18:58,520 you have to be very careful with the 357 00:18:58,520 --> 00:19:02,480 macro permissions as well otherwise any 358 00:19:02,480 --> 00:19:04,520 unprivileged user will not be able to 359 00:19:04,520 --> 00:19:07,100 run this macro and your dashboard will 360 00:19:07,100 --> 00:19:11,890 not show up anything so read/write okay 361 00:19:11,890 --> 00:19:14,330 now we have set the permissions of the 362 00:19:14,330 --> 00:19:17,120 macro as well now let's see what's going 363 00:19:17,120 --> 00:19:19,490 on at the background so I am in my 364 00:19:19,490 --> 00:19:24,020 Splunk home I will go to a TC apps tmdb 365 00:19:24,020 --> 00:19:26,990 F and I will go to my local folder if 366 00:19:26,990 --> 00:19:28,970 you see whenever you creates a macro 367 00:19:28,970 --> 00:19:31,220 it's creates a another Khan file called 368 00:19:31,220 --> 00:19:34,100 macro scones I will open this file and 369 00:19:34,100 --> 00:19:37,190 if you see all different macros we have 370 00:19:37,190 --> 00:19:39,080 created its gate separate separate 371 00:19:39,080 --> 00:19:43,040 stanza for that macro name and with all 372 00:19:43,040 --> 00:19:45,920 the input numbers right and args is the 373 00:19:45,920 --> 00:19:49,070 inputs of this macros wait for bonus if 374 00:19:49,070 --> 00:19:52,820 you see here for bonus my arguments are 375 00:19:52,820 --> 00:19:55,520 VPN bonus like two arguments those are 376 00:19:55,520 --> 00:19:56,840 showing up here this 377 00:19:56,840 --> 00:19:59,240 the macro definition this is the error 378 00:19:59,240 --> 00:20:02,029 message you set it for this macro this 379 00:20:02,029 --> 00:20:03,320 is the validation you have set it for 380 00:20:03,320 --> 00:20:06,470 this macro and this is evil is telling 381 00:20:06,470 --> 00:20:08,480 you whether this macro is well based or 382 00:20:08,480 --> 00:20:10,909 not as our last macro get general or 383 00:20:10,909 --> 00:20:13,789 main is evil ways that Troy is evil is 384 00:20:13,789 --> 00:20:16,130 one for rest of the - macros easy well 385 00:20:16,130 --> 00:20:21,080 is zero okay now you can you can call a 386 00:20:21,080 --> 00:20:23,779 macro another inside another macro so to 387 00:20:23,779 --> 00:20:26,690 do that let's do this exercise where we 388 00:20:26,690 --> 00:20:28,490 have created these totals energy right 389 00:20:28,490 --> 00:20:29,929 and also bonus 390 00:20:29,929 --> 00:20:31,940 so inside total Cirelli we will try to 391 00:20:31,940 --> 00:20:35,059 call this bonus one who do that I will 392 00:20:35,059 --> 00:20:37,549 do one thing I will clone this total 393 00:20:37,549 --> 00:20:40,309 celery macro no I like this let's let's 394 00:20:40,309 --> 00:20:43,870 get a new one only it's a total salary 395 00:20:43,870 --> 00:20:48,460 total salary 396 00:20:49,779 --> 00:20:50,990 yv2 397 00:20:50,990 --> 00:20:53,870 version - okay so what I will do it will 398 00:20:53,870 --> 00:20:57,200 not be well based macro let's say my 399 00:20:57,200 --> 00:21:01,850 previous will be there he well right so 400 00:21:01,850 --> 00:21:06,200 it has two arguments basic salary and 401 00:21:06,200 --> 00:21:11,149 variable percent right now I'll be 402 00:21:11,149 --> 00:21:14,419 adding this bonus as well so bonus 403 00:21:14,419 --> 00:21:16,279 requires another extra input called 404 00:21:16,279 --> 00:21:19,460 bonus right so I will be adding this as 405 00:21:19,460 --> 00:21:23,179 a extra input comma this so my total 406 00:21:23,179 --> 00:21:27,020 macro inputs will be three basic salary 407 00:21:27,020 --> 00:21:29,750 and variable pay will be he'll be used 408 00:21:29,750 --> 00:21:33,020 here and variable pay and bonus will be 409 00:21:33,020 --> 00:21:35,659 used in another evil statement which we 410 00:21:35,659 --> 00:21:37,730 have which will be a calling in this 411 00:21:37,730 --> 00:21:40,760 bonus macro right so in this case I will 412 00:21:40,760 --> 00:21:44,360 be calling this bonus macro inside so 413 00:21:44,360 --> 00:21:48,830 I'll say this one pipe then my bonus 414 00:21:48,830 --> 00:21:51,549 macro bonus macro takes two arguments 415 00:21:51,549 --> 00:21:54,830 one is variable percent and another is 416 00:21:54,830 --> 00:21:59,659 bonus so variable percent I'll pass and 417 00:21:59,659 --> 00:22:04,370 I'll pass this bonus as well so ideally 418 00:22:04,370 --> 00:22:06,740 the behavior should be same as we have 419 00:22:06,740 --> 00:22:10,530 seen before right so 420 00:22:10,530 --> 00:22:18,750 done tick okay so now let's save it okay 421 00:22:18,750 --> 00:22:21,690 so total sir I do so before before I do 422 00:22:21,690 --> 00:22:27,030 that so let us run our macro so I'll 423 00:22:27,030 --> 00:22:31,669 just copy paste that code portion here 424 00:22:31,669 --> 00:22:35,850 right so I'll just copy paste this code 425 00:22:35,850 --> 00:22:37,880 portion here 426 00:22:37,880 --> 00:22:41,190 it's a macro total salary nan okay I 427 00:22:41,190 --> 00:22:47,390 think total I am my macro is total 7 428 00:22:54,260 --> 00:23:00,000 this mismatch parenthesis okay okay so 429 00:23:00,000 --> 00:23:03,000 it has created this one in this new new 430 00:23:03,000 --> 00:23:06,330 field in the new search field what I 431 00:23:06,330 --> 00:23:09,510 will do is on after this one 432 00:23:09,510 --> 00:23:13,020 I will be calling my total salary 433 00:23:13,020 --> 00:23:16,020 version 2 macro okay what it is doing 434 00:23:16,020 --> 00:23:18,480 the work of both of these 2 bonus and 435 00:23:18,480 --> 00:23:20,880 total salary right so total salary 436 00:23:20,880 --> 00:23:26,640 version - okay so my tick version 2 437 00:23:26,640 --> 00:23:29,580 version 2 requires three arguments one 438 00:23:29,580 --> 00:23:32,220 is my basic salary variable percent and 439 00:23:32,220 --> 00:23:35,039 the similar person value I will gives 8 440 00:23:35,039 --> 00:23:36,929 so that we can at least compare what's 441 00:23:36,929 --> 00:23:41,340 the outputs so if I run this one see if 442 00:23:41,340 --> 00:23:42,720 it is it is working in the same way 443 00:23:42,720 --> 00:23:45,150 where it is getting this bonus field and 444 00:23:45,150 --> 00:23:46,860 total salary and if you see the output 445 00:23:46,860 --> 00:23:49,549 is same as well 446 00:23:49,549 --> 00:23:53,700 15:22 we have given seven here okay 447 00:23:53,700 --> 00:23:57,600 let's let's run it with seven only see 448 00:23:57,600 --> 00:23:59,159 if you see fifteen twenty two twenty two 449 00:23:59,159 --> 00:24:01,770 twenty seventeen ten seventy like this 450 00:24:01,770 --> 00:24:05,610 okay so this is how you can call a macro 451 00:24:05,610 --> 00:24:08,370 inside another macro as well so if you 452 00:24:08,370 --> 00:24:11,940 see here by by by by this structure you 453 00:24:11,940 --> 00:24:14,850 can achieve a very complex structure as 454 00:24:14,850 --> 00:24:18,179 well and complex structure which which 455 00:24:18,179 --> 00:24:20,250 is basically a useable component in 456 00:24:20,250 --> 00:24:24,210 Splunk search query okay so this is how 457 00:24:24,210 --> 00:24:26,520 you need to know basically to deal with 458 00:24:26,520 --> 00:24:29,790 macros and macros are very useful in 459 00:24:29,790 --> 00:24:32,760 Splunk because not only it it it gives 460 00:24:32,760 --> 00:24:36,240 you the modularity approach but also 461 00:24:36,240 --> 00:24:38,820 it's it's is give you the very shorter 462 00:24:38,820 --> 00:24:41,070 search string and very readable course 463 00:24:41,070 --> 00:24:45,350 as well ok see you in next video