okay today we will discuss about plan

macros okay so his plan macros you can

think of it as a reusable component in

your Splunk search where suppose a

particular search portion if it is using

if you are using many times mmm then you

can put it in a macro so that you can

call that micro and the macro will be

replaced runtime with that search string

okay so macros are very very useful when

suppose you have many dashboards in your

application and in all this - but you

have some search which is running in all

the - boots right so in this case you

can implement that such portion in a

macro where you can just call that macro

instead of this whole search string in

your dashboards so in the future if you

want to do any changes in that search

logic you will just change into the into

one place in that in macro body okay so

so by implementing macro basically we

are achieving two things one is the

modularity of your code easily

maintaining of your code and as well as

your search string will be very much

smaller okay so there are there are

couple - two different types of macro we

generally deals with one is eval based

macro and there is no an evil based

macro so before we discuss those things

let me show you the data I have it here

so I have some people name and their

basic salary and and variable percent so

I'll show you to how to create evil

waste macro how to create non evil West

Metro and what are the differences

between them and and then how to call

macarons at a macro also we will try to

discuss that one okay so first let us

see how we can create a non evil macro

so now an evil macro and honorable macro

if you see functionality-wise both are

same so when we define a macro the macro

body you are giving this string right so

dynamically in the run time

macro will be definite will be replaced

by that macro body by spelling search

okay now when we talk about evil waste

macro it is expected that the macro is

returning a string when you use non evil

waste macro you can directly put the

search string inside the macro so let me

show you suppose I wanted to calculate

total salary based on this formula

called basic salary let me show you

basic salary plus basic into that

percentage variable percentage variable

percent okay so to do that to create any

macro from the Splunk uy this is how you

do it we'll go to settings we go to

advanced search okay from there if you

see there is a option called such Mac

rooms you go there you select your app

from there so I'll be creating this

matter in my tmdb app so I have selected

tmdb over here then new search macro

okay if you see the destination I've

already selected as TM GB I'll give it a

name let's say total salary okay so now

whether a macro is evil waste or not

determined by this check box if you

check this one it will be well waste

macro if you don't just check this one

it will be a non evil West macro so the

first we will discuss about non evil

missed macro so what I am trying to say

is when you what I said is whenever we

are creating a non evil West micro we

can directly give a search string over

there so my search team will be

something like this I will be creating a

new field called total salary so that's

why that evil total salary equals to now

I will be passing this to my basic

salary and variable percent to this

macro right row do that what I will do

I'll create a argument of this macro

in basic salary so in the argument

section you will be giving control see

these two things basic salary and

variable percent as two arguments as the

macro has two arguments it is mandatory

that in this name section you give how

many number of arguments you have in

your macro if it is one you have to give

one here okay now the formula is my

basic salary now this basic salary is my

input variable right so to access input

variable you access like this just like

it token okay basic salary plus my basic

salary into that variable percent again

as input I am accessing right then

divide it by 100 so this will be minus

macro body now there is a two options

for validation expression interrogation

error message I will show you in the

next macro see if I save it okay

so if you see the macro has been created

now if I call this macro over here so to

call a macro this is how you call there

is a tick mark if you see okay from your

keyboard then the macro name total

salary and it has two arguments right my

basic salary and my variable percent

then tick end now this basic salary is

corresponds to this basic salary and

variable person corresponds to this

variable person failed

now when you define the macro I have

given the same name as macro input you

can give any any input variable name

over here the same name you have to use

over here as well but when you pass a

macro pass this visix ready and variable

person to this macro you'll be giving

this field name only

so let us run it and see what's going on

if you see it has created a total salary

failed with this formal output 4000 plus

4000 into 15% is 4,600 right so it is

basically same as the run time what is

happening is something like this so if I

instead of total salary if I just gave

this one and instead of this token

variable I just give my flake name here

the output will be same variable percent

the output will be same so this is how

what is happening as well so run time

Splunk is replacing this macro body with

this variable inputs and then it is

running the query so ultimately this

squad is getting run okay so but the

thing is this this code if you put it in

a macro you can call that macro anybody

new such so that means that this code

portions will be reusable now okay now

let's see an example where we can use

this validation expression and

validation error message now a

validation expression is used when you

want to do some kind of validation on

your macro inputs okay so and validation

error message means when this input is

getting or this validation is getting

filled this error message will be

displayed over there so to do that what

I will do is I'll create another macro

okay so now let's say we have basic

salary and variable percent right let's

say we want to calculate a bonus

percentage with this formula called

variable percent variable percent plus

any any of the person any number let's

say seven percent or eight in a number

I'll provide inputs it will give me it

will add those two percentage value and

give me the bonus percent okay so to do

that I will just create that similar

macro name bonus

okay so the formula will be again it

will be non evil based okay eval bonus

equals two so my variable percent right

I have to provide as a input so I'll

giving input so let's say this time I

will rename this to something maybe so

I'll say dollar VP dollar then plus

another input I will be giving let's say

bonus input okay so this bonus I will be

adding here okay Nonna's so we have two

inputs that means we have to give two

over here now I'll add an expression now

I always want this bonus to be in number

okay do that i'll so this validation

expression has to be a boolean

expression or eval okay so if you saw my

previous video we we discussed about

various evil expressions right and some

of the expressions returns bully and the

strict like operator or in operator or

easy num operator which basically checks

whether a particular input is number or

not so you will be using is numb over

here on this bonus that means I am

checking whether whatever I am providing

as the input to this bonus variable

parameter whether it is number or not if

it is not number will I will give this

in this output error message bonus must

be and number okay

so let's save this macro okay now I will

call this macro here let it be my total

salary macro called as is if I just do

control see

okay here I'm calling my total salary so

to stick the output now after that I'll

be calling the bonus macro it's a

similar way tick macro named micro

inputs one of the inputs will be my

variable percent and another another

output may be let's say 8 percent I want

to add with the variable percent so what

will be output in this case it should

create a new field called bonus with 15

plus 8 20 plus 8 something like this

okay if you see you can create you can

access different different macros in

your whole search okay now let's say I

have provided a string here it says test

ok what is happening so if you provide

this thing here that validation is

getting failed we have added over here

is numb so that set is giving you this

error bonus must be a number so this is

how macro input validation works ok let

us continue now we will discuss about

how to create an eval macro so to do

that what we'll do is first let me show

you two things if you remember from my

previous video we have created a command

called gate churners right and that

common takes an input with the journal

ID and if we are not giving any general

idea giving star it will give you all

the journal titles right and also we

have a we have created a our we have

index our data into this main index

right so you have another data set

called main where we have we're having

this salary and this information just

now you are working with a data set so

suppose there is a requirement that

based on certain condition either I need

to go with this data set or I need to go

with this data set in this type of

scenario where dynamically you have to

determine which data set to work on or

dynamically

in which search string to which search

things were written that means to

assistant to work with eval macros are

coming into picture okay so because the

main concept behind evil macro is it has

to return a string so in that case how

we will create is like this let's say

new search macro I'll give a name call

gate channel or main index okay just

like the name just to show you the use

case of it so here what I will write I

will write it if or case statement

really mostly we light a key for case

statement for eval based macro so case

so that we can have different different

condition and based on the condition we

will be returning the search string but

ultimately if you see we are in the

start sitting only at the end of the day

so that Splunk will replace that macro

with that search string so i'm saying i

will provide argument here let's say

same same argument name let's say so

either i will provide gate channel or i

will provide main as my or argument

value okay i'll show you how how i

provide that one case i am saying my

input taller this one dollar is equals

to let us say gate channel okay as it is

within quotes remember that if this one

has to be quotes as well or when you are

calling you have to call with this with

course i prefer to be like this only so

that everything is in your inside your

macro only in that case the string I

will return is this kind get Jenna star

now you have to be very careful over

here when you dil Dil with a generating

command if you seek it generates a

generating comment right thats why this

has to be the first command in your

search string now for generating comment

when you run it if you see there is a

bar over here search bar right after

that only if I run this command without

this word nothing will come up

it requires this bar but when you put

this gate Jenner star this generating

command inside a macro so you put it

without the bar so that when you call

the macro you will call with bar then

macro name I will show you that one as

well but that's why I am giving without

the bar here this is this has to be very

careful with the generating comments

because if you put bar inside it will

not work now when my input is main ok in

that case I will return the string

called search index equals two main here

also another good thing is when you run

index equals two main from your search

prompt right you do not need to mention

search then index equals two main

because that is by default comes up but

when you use it in a macro or somewhere

else

you have to put it like this search then

index equals to me okay so this thing I

will be returning says my macro has one

input so I will be giving one here okay

validation we are not doing anything now

so let's save it okay this is our third

macro so get general or main see if I

run this macro now okay so as I said it

has a generating comment that's why I am

giving a bar over here then my take and

then my input let's say I will be giving

input s get general I want to know I

want to work with the data set to get

channel okay so if let's see okay

bracket this missing over here save now

if you see if I run this macro again it

is giving me same because sometimes it's

not you don't take the refreshed value

so what I will do in this case just copy

this code close it Danny taking such

Factory unknown search comma

and case to see what's going on okay it

has to be evil waste macro because it is

running a string now right so let's say

wait and let it is not okay now if you

see if I run this gate general macro so

it is giving me this data set where it

is running that gate general Starr

generating command and giving me this

result if I say main in this case it is

giving me this data set where I have

index my data so this is how you can

create a evil waste macro okay so now

macro has a diff separate permissions as

well if you see from this macro macro

list page you can and you can set the

permissions as well so currently I will

show you I will set this permission as

this upon't Li and read I will say

everyone and right let's say admin let's

do it for all the macros permission so

you have to be very careful with the

macro permissions as well otherwise any

unprivileged user will not be able to

run this macro and your dashboard will

not show up anything so read/write okay

now we have set the permissions of the

macro as well now let's see what's going

on at the background so I am in my

Splunk home I will go to a TC apps tmdb

F and I will go to my local folder if

you see whenever you creates a macro

it's creates a another Khan file called

macro scones I will open this file and

if you see all different macros we have

created its gate separate separate

stanza for that macro name and with all

the input numbers right and args is the

inputs of this macros wait for bonus if

you see here for bonus my arguments are

VPN bonus like two arguments those are

showing up here this

the macro definition this is the error

message you set it for this macro this

is the validation you have set it for

this macro and this is evil is telling

you whether this macro is well based or

not as our last macro get general or

main is evil ways that Troy is evil is

one for rest of the - macros easy well

is zero okay now you can you can call a

macro another inside another macro so to

do that let's do this exercise where we

have created these totals energy right

and also bonus

so inside total Cirelli we will try to

call this bonus one who do that I will

do one thing I will clone this total

celery macro no I like this let's let's

get a new one only it's a total salary

total salary

yv2

version - okay so what I will do it will

not be well based macro let's say my

previous will be there he well right so

it has two arguments basic salary and

variable percent right now I'll be

adding this bonus as well so bonus

requires another extra input called

bonus right so I will be adding this as

a extra input comma this so my total

macro inputs will be three basic salary

and variable pay will be he'll be used

here and variable pay and bonus will be

used in another evil statement which we

have which will be a calling in this

bonus macro right so in this case I will

be calling this bonus macro inside so

I'll say this one pipe then my bonus

macro bonus macro takes two arguments

one is variable percent and another is

bonus so variable percent I'll pass and

I'll pass this bonus as well so ideally

the behavior should be same as we have

seen before right so

done tick okay so now let's save it okay

so total sir I do so before before I do

that so let us run our macro so I'll

just copy paste that code portion here

right so I'll just copy paste this code

portion here

it's a macro total salary nan okay I

think total I am my macro is total 7

this mismatch parenthesis okay okay so

it has created this one in this new new

field in the new search field what I

will do is on after this one

I will be calling my total salary

version 2 macro okay what it is doing

the work of both of these 2 bonus and

total salary right so total salary

version - okay so my tick version 2

version 2 requires three arguments one

is my basic salary variable percent and

the similar person value I will gives 8

so that we can at least compare what's

the outputs so if I run this one see if

it is it is working in the same way

where it is getting this bonus field and

total salary and if you see the output

is same as well

15:22 we have given seven here okay

let's let's run it with seven only see

if you see fifteen twenty two twenty two

twenty seventeen ten seventy like this

okay so this is how you can call a macro

inside another macro as well so if you

see here by by by by this structure you

can achieve a very complex structure as

well and complex structure which which

is basically a useable component in

Splunk search query okay so this is how

you need to know basically to deal with

macros and macros are very useful in

Splunk because not only it it it gives

you the modularity approach but also

it's it's is give you the very shorter

search string and very readable course

as well ok see you in next video