WEBVTT 00:00:00.030 --> 00:00:02.939 okay today we will discuss about plan 00:00:02.939 --> 00:00:06.240 macros okay so his plan macros you can 00:00:06.240 --> 00:00:09.090 think of it as a reusable component in 00:00:09.090 --> 00:00:12.960 your Splunk search where suppose a 00:00:12.960 --> 00:00:15.870 particular search portion if it is using 00:00:15.870 --> 00:00:18.930 if you are using many times mmm then you 00:00:18.930 --> 00:00:20.460 can put it in a macro so that you can 00:00:20.460 --> 00:00:23.580 call that micro and the macro will be 00:00:23.580 --> 00:00:26.310 replaced runtime with that search string 00:00:26.310 --> 00:00:28.920 okay so macros are very very useful when 00:00:28.920 --> 00:00:31.890 suppose you have many dashboards in your 00:00:31.890 --> 00:00:34.590 application and in all this - but you 00:00:34.590 --> 00:00:38.670 have some search which is running in all 00:00:38.670 --> 00:00:41.610 the - boots right so in this case you 00:00:41.610 --> 00:00:43.410 can implement that such portion in a 00:00:43.410 --> 00:00:45.680 macro where you can just call that macro 00:00:45.680 --> 00:00:47.850 instead of this whole search string in 00:00:47.850 --> 00:00:50.370 your dashboards so in the future if you 00:00:50.370 --> 00:00:52.440 want to do any changes in that search 00:00:52.440 --> 00:00:55.140 logic you will just change into the into 00:00:55.140 --> 00:00:58.530 one place in that in macro body okay so 00:00:58.530 --> 00:01:01.350 so by implementing macro basically we 00:01:01.350 --> 00:01:04.170 are achieving two things one is the 00:01:04.170 --> 00:01:06.930 modularity of your code easily 00:01:06.930 --> 00:01:09.630 maintaining of your code and as well as 00:01:09.630 --> 00:01:11.250 your search string will be very much 00:01:11.250 --> 00:01:15.720 smaller okay so there are there are 00:01:15.720 --> 00:01:18.689 couple - two different types of macro we 00:01:18.689 --> 00:01:20.580 generally deals with one is eval based 00:01:20.580 --> 00:01:23.189 macro and there is no an evil based 00:01:23.189 --> 00:01:26.400 macro so before we discuss those things 00:01:26.400 --> 00:01:29.790 let me show you the data I have it here 00:01:29.790 --> 00:01:32.909 so I have some people name and their 00:01:32.909 --> 00:01:36.270 basic salary and and variable percent so 00:01:36.270 --> 00:01:39.720 I'll show you to how to create evil 00:01:39.720 --> 00:01:42.420 waste macro how to create non evil West 00:01:42.420 --> 00:01:43.710 Metro and what are the differences 00:01:43.710 --> 00:01:47.939 between them and and then how to call 00:01:47.939 --> 00:01:49.860 macarons at a macro also we will try to 00:01:49.860 --> 00:01:52.470 discuss that one okay so first let us 00:01:52.470 --> 00:01:56.759 see how we can create a non evil macro 00:01:56.759 --> 00:02:00.409 so now an evil macro and honorable macro 00:02:00.409 --> 00:02:03.600 if you see functionality-wise both are 00:02:03.600 --> 00:02:07.020 same so when we define a macro the macro 00:02:07.020 --> 00:02:09.890 body you are giving this string right so 00:02:09.890 --> 00:02:12.900 dynamically in the run time 00:02:12.900 --> 00:02:15.670 macro will be definite will be replaced 00:02:15.670 --> 00:02:18.160 by that macro body by spelling search 00:02:18.160 --> 00:02:22.810 okay now when we talk about evil waste 00:02:22.810 --> 00:02:26.500 macro it is expected that the macro is 00:02:26.500 --> 00:02:29.890 returning a string when you use non evil 00:02:29.890 --> 00:02:32.140 waste macro you can directly put the 00:02:32.140 --> 00:02:34.210 search string inside the macro so let me 00:02:34.210 --> 00:02:37.240 show you suppose I wanted to calculate 00:02:37.240 --> 00:02:40.000 total salary based on this formula 00:02:40.000 --> 00:02:43.240 called basic salary let me show you 00:02:43.240 --> 00:02:50.340 basic salary plus basic into that 00:02:50.340 --> 00:02:54.160 percentage variable percentage variable 00:02:54.160 --> 00:02:58.390 percent okay so to do that to create any 00:02:58.390 --> 00:03:01.180 macro from the Splunk uy this is how you 00:03:01.180 --> 00:03:03.850 do it we'll go to settings we go to 00:03:03.850 --> 00:03:08.170 advanced search okay from there if you 00:03:08.170 --> 00:03:10.780 see there is a option called such Mac 00:03:10.780 --> 00:03:13.270 rooms you go there you select your app 00:03:13.270 --> 00:03:15.520 from there so I'll be creating this 00:03:15.520 --> 00:03:17.800 matter in my tmdb app so I have selected 00:03:17.800 --> 00:03:20.850 tmdb over here then new search macro 00:03:20.850 --> 00:03:23.709 okay if you see the destination I've 00:03:23.709 --> 00:03:26.410 already selected as TM GB I'll give it a 00:03:26.410 --> 00:03:36.150 name let's say total salary okay so now 00:03:36.150 --> 00:03:39.220 whether a macro is evil waste or not 00:03:39.220 --> 00:03:41.200 determined by this check box if you 00:03:41.200 --> 00:03:42.790 check this one it will be well waste 00:03:42.790 --> 00:03:45.489 macro if you don't just check this one 00:03:45.489 --> 00:03:48.220 it will be a non evil West macro so the 00:03:48.220 --> 00:03:49.660 first we will discuss about non evil 00:03:49.660 --> 00:03:51.730 missed macro so what I am trying to say 00:03:51.730 --> 00:03:55.180 is when you what I said is whenever we 00:03:55.180 --> 00:03:57.459 are creating a non evil West micro we 00:03:57.459 --> 00:03:59.110 can directly give a search string over 00:03:59.110 --> 00:04:01.270 there so my search team will be 00:04:01.270 --> 00:04:03.160 something like this I will be creating a 00:04:03.160 --> 00:04:05.890 new field called total salary so that's 00:04:05.890 --> 00:04:13.510 why that evil total salary equals to now 00:04:13.510 --> 00:04:17.380 I will be passing this to my basic 00:04:17.380 --> 00:04:19.870 salary and variable percent to this 00:04:19.870 --> 00:04:22.720 macro right row do that what I will do 00:04:22.720 --> 00:04:26.080 I'll create a argument of this macro 00:04:26.080 --> 00:04:28.300 in basic salary so in the argument 00:04:28.300 --> 00:04:32.550 section you will be giving control see 00:04:32.550 --> 00:04:35.710 these two things basic salary and 00:04:35.710 --> 00:04:40.360 variable percent as two arguments as the 00:04:40.360 --> 00:04:42.789 macro has two arguments it is mandatory 00:04:42.789 --> 00:04:46.780 that in this name section you give how 00:04:46.780 --> 00:04:48.819 many number of arguments you have in 00:04:48.819 --> 00:04:50.830 your macro if it is one you have to give 00:04:50.830 --> 00:04:55.629 one here okay now the formula is my 00:04:55.629 --> 00:04:59.139 basic salary now this basic salary is my 00:04:59.139 --> 00:05:03.009 input variable right so to access input 00:05:03.009 --> 00:05:04.780 variable you access like this just like 00:05:04.780 --> 00:05:11.770 it token okay basic salary plus my basic 00:05:11.770 --> 00:05:21.159 salary into that variable percent again 00:05:21.159 --> 00:05:26.319 as input I am accessing right then 00:05:26.319 --> 00:05:29.849 divide it by 100 so this will be minus 00:05:29.849 --> 00:05:33.759 macro body now there is a two options 00:05:33.759 --> 00:05:35.229 for validation expression interrogation 00:05:35.229 --> 00:05:36.580 error message I will show you in the 00:05:36.580 --> 00:05:42.400 next macro see if I save it okay 00:05:42.400 --> 00:05:44.909 so if you see the macro has been created 00:05:44.909 --> 00:05:49.509 now if I call this macro over here so to 00:05:49.509 --> 00:05:51.520 call a macro this is how you call there 00:05:51.520 --> 00:05:54.400 is a tick mark if you see okay from your 00:05:54.400 --> 00:06:01.060 keyboard then the macro name total 00:06:01.060 --> 00:06:04.690 salary and it has two arguments right my 00:06:04.690 --> 00:06:08.699 basic salary and my variable percent 00:06:08.699 --> 00:06:13.150 then tick end now this basic salary is 00:06:13.150 --> 00:06:15.129 corresponds to this basic salary and 00:06:15.129 --> 00:06:16.719 variable person corresponds to this 00:06:16.719 --> 00:06:18.069 variable person failed 00:06:18.069 --> 00:06:21.279 now when you define the macro I have 00:06:21.279 --> 00:06:23.050 given the same name as macro input you 00:06:23.050 --> 00:06:26.080 can give any any input variable name 00:06:26.080 --> 00:06:28.000 over here the same name you have to use 00:06:28.000 --> 00:06:30.580 over here as well but when you pass a 00:06:30.580 --> 00:06:33.759 macro pass this visix ready and variable 00:06:33.759 --> 00:06:35.860 person to this macro you'll be giving 00:06:35.860 --> 00:06:37.449 this field name only 00:06:37.449 --> 00:06:40.270 so let us run it and see what's going on 00:06:40.270 --> 00:06:43.889 if you see it has created a total salary 00:06:43.889 --> 00:06:47.650 failed with this formal output 4000 plus 00:06:47.650 --> 00:06:51.819 4000 into 15% is 4,600 right so it is 00:06:51.819 --> 00:06:54.639 basically same as the run time what is 00:06:54.639 --> 00:06:58.120 happening is something like this so if I 00:06:58.120 --> 00:07:00.099 instead of total salary if I just gave 00:07:00.099 --> 00:07:04.300 this one and instead of this token 00:07:04.300 --> 00:07:07.960 variable I just give my flake name here 00:07:07.960 --> 00:07:14.490 the output will be same variable percent 00:07:14.490 --> 00:07:18.520 the output will be same so this is how 00:07:18.520 --> 00:07:21.490 what is happening as well so run time 00:07:21.490 --> 00:07:25.060 Splunk is replacing this macro body with 00:07:25.060 --> 00:07:28.029 this variable inputs and then it is 00:07:28.029 --> 00:07:29.710 running the query so ultimately this 00:07:29.710 --> 00:07:32.740 squad is getting run okay so but the 00:07:32.740 --> 00:07:34.960 thing is this this code if you put it in 00:07:34.960 --> 00:07:36.909 a macro you can call that macro anybody 00:07:36.909 --> 00:07:39.129 new such so that means that this code 00:07:39.129 --> 00:07:42.490 portions will be reusable now okay now 00:07:42.490 --> 00:07:46.149 let's see an example where we can use 00:07:46.149 --> 00:07:47.680 this validation expression and 00:07:47.680 --> 00:07:49.270 validation error message now a 00:07:49.270 --> 00:07:51.699 validation expression is used when you 00:07:51.699 --> 00:07:54.819 want to do some kind of validation on 00:07:54.819 --> 00:08:00.279 your macro inputs okay so and validation 00:08:00.279 --> 00:08:02.830 error message means when this input is 00:08:02.830 --> 00:08:04.749 getting or this validation is getting 00:08:04.749 --> 00:08:06.430 filled this error message will be 00:08:06.430 --> 00:08:09.459 displayed over there so to do that what 00:08:09.459 --> 00:08:14.639 I will do is I'll create another macro 00:08:14.639 --> 00:08:20.110 okay so now let's say we have basic 00:08:20.110 --> 00:08:22.569 salary and variable percent right let's 00:08:22.569 --> 00:08:24.789 say we want to calculate a bonus 00:08:24.789 --> 00:08:27.669 percentage with this formula called 00:08:27.669 --> 00:08:32.349 variable percent variable percent plus 00:08:32.349 --> 00:08:35.620 any any of the person any number let's 00:08:35.620 --> 00:08:37.930 say seven percent or eight in a number 00:08:37.930 --> 00:08:40.539 I'll provide inputs it will give me it 00:08:40.539 --> 00:08:43.060 will add those two percentage value and 00:08:43.060 --> 00:08:45.610 give me the bonus percent okay so to do 00:08:45.610 --> 00:08:48.279 that I will just create that similar 00:08:48.279 --> 00:08:52.110 macro name bonus 00:08:52.110 --> 00:08:56.680 okay so the formula will be again it 00:08:56.680 --> 00:09:06.029 will be non evil based okay eval bonus 00:09:07.860 --> 00:09:13.839 equals two so my variable percent right 00:09:13.839 --> 00:09:16.270 I have to provide as a input so I'll 00:09:16.270 --> 00:09:18.790 giving input so let's say this time I 00:09:18.790 --> 00:09:21.610 will rename this to something maybe so 00:09:21.610 --> 00:09:27.810 I'll say dollar VP dollar then plus 00:09:27.810 --> 00:09:30.580 another input I will be giving let's say 00:09:30.580 --> 00:09:36.540 bonus input okay so this bonus I will be 00:09:36.540 --> 00:09:42.190 adding here okay Nonna's so we have two 00:09:42.190 --> 00:09:44.080 inputs that means we have to give two 00:09:44.080 --> 00:09:47.440 over here now I'll add an expression now 00:09:47.440 --> 00:09:50.260 I always want this bonus to be in number 00:09:50.260 --> 00:09:53.589 okay do that i'll so this validation 00:09:53.589 --> 00:09:55.690 expression has to be a boolean 00:09:55.690 --> 00:09:59.079 expression or eval okay so if you saw my 00:09:59.079 --> 00:10:01.209 previous video we we discussed about 00:10:01.209 --> 00:10:04.390 various evil expressions right and some 00:10:04.390 --> 00:10:06.160 of the expressions returns bully and the 00:10:06.160 --> 00:10:08.800 strict like operator or in operator or 00:10:08.800 --> 00:10:11.770 easy num operator which basically checks 00:10:11.770 --> 00:10:15.220 whether a particular input is number or 00:10:15.220 --> 00:10:17.230 not so you will be using is numb over 00:10:17.230 --> 00:10:20.529 here on this bonus that means I am 00:10:20.529 --> 00:10:23.290 checking whether whatever I am providing 00:10:23.290 --> 00:10:25.380 as the input to this bonus variable 00:10:25.380 --> 00:10:28.630 parameter whether it is number or not if 00:10:28.630 --> 00:10:32.350 it is not number will I will give this 00:10:32.350 --> 00:10:36.670 in this output error message bonus must 00:10:36.670 --> 00:10:41.490 be and number okay 00:10:41.490 --> 00:10:50.110 so let's save this macro okay now I will 00:10:50.110 --> 00:10:56.950 call this macro here let it be my total 00:10:56.950 --> 00:11:01.779 salary macro called as is if I just do 00:11:01.779 --> 00:11:03.530 control see 00:11:03.530 --> 00:11:06.530 okay here I'm calling my total salary so 00:11:06.530 --> 00:11:08.930 to stick the output now after that I'll 00:11:08.930 --> 00:11:14.930 be calling the bonus macro it's a 00:11:14.930 --> 00:11:17.960 similar way tick macro named micro 00:11:17.960 --> 00:11:19.760 inputs one of the inputs will be my 00:11:19.760 --> 00:11:22.820 variable percent and another another 00:11:22.820 --> 00:11:25.790 output may be let's say 8 percent I want 00:11:25.790 --> 00:11:28.400 to add with the variable percent so what 00:11:28.400 --> 00:11:30.770 will be output in this case it should 00:11:30.770 --> 00:11:33.560 create a new field called bonus with 15 00:11:33.560 --> 00:11:35.780 plus 8 20 plus 8 something like this 00:11:35.780 --> 00:11:39.400 okay if you see you can create you can 00:11:39.400 --> 00:11:41.870 access different different macros in 00:11:41.870 --> 00:11:48.140 your whole search okay now let's say I 00:11:48.140 --> 00:11:52.570 have provided a string here it says test 00:11:52.570 --> 00:11:55.280 ok what is happening so if you provide 00:11:55.280 --> 00:11:57.770 this thing here that validation is 00:11:57.770 --> 00:11:59.660 getting failed we have added over here 00:11:59.660 --> 00:12:02.450 is numb so that set is giving you this 00:12:02.450 --> 00:12:05.510 error bonus must be a number so this is 00:12:05.510 --> 00:12:10.250 how macro input validation works ok let 00:12:10.250 --> 00:12:15.280 us continue now we will discuss about 00:12:15.280 --> 00:12:18.830 how to create an eval macro so to do 00:12:18.830 --> 00:12:22.520 that what we'll do is first let me show 00:12:22.520 --> 00:12:24.920 you two things if you remember from my 00:12:24.920 --> 00:12:28.220 previous video we have created a command 00:12:28.220 --> 00:12:31.940 called gate churners right and that 00:12:31.940 --> 00:12:33.800 common takes an input with the journal 00:12:33.800 --> 00:12:36.410 ID and if we are not giving any general 00:12:36.410 --> 00:12:38.780 idea giving star it will give you all 00:12:38.780 --> 00:12:41.780 the journal titles right and also we 00:12:41.780 --> 00:12:47.630 have a we have created a our we have 00:12:47.630 --> 00:12:50.750 index our data into this main index 00:12:50.750 --> 00:12:52.130 right so you have another data set 00:12:52.130 --> 00:12:54.200 called main where we have we're having 00:12:54.200 --> 00:12:56.270 this salary and this information just 00:12:56.270 --> 00:12:58.520 now you are working with a data set so 00:12:58.520 --> 00:13:01.000 suppose there is a requirement that 00:13:01.000 --> 00:13:04.730 based on certain condition either I need 00:13:04.730 --> 00:13:09.110 to go with this data set or I need to go 00:13:09.110 --> 00:13:11.330 with this data set in this type of 00:13:11.330 --> 00:13:13.730 scenario where dynamically you have to 00:13:13.730 --> 00:13:15.980 determine which data set to work on or 00:13:15.980 --> 00:13:17.329 dynamically 00:13:17.329 --> 00:13:20.600 in which search string to which search 00:13:20.600 --> 00:13:22.549 things were written that means to 00:13:22.549 --> 00:13:25.100 assistant to work with eval macros are 00:13:25.100 --> 00:13:28.489 coming into picture okay so because the 00:13:28.489 --> 00:13:31.129 main concept behind evil macro is it has 00:13:31.129 --> 00:13:34.279 to return a string so in that case how 00:13:34.279 --> 00:13:36.410 we will create is like this let's say 00:13:36.410 --> 00:13:39.529 new search macro I'll give a name call 00:13:39.529 --> 00:13:46.579 gate channel or main index okay just 00:13:46.579 --> 00:13:48.679 like the name just to show you the use 00:13:48.679 --> 00:13:51.980 case of it so here what I will write I 00:13:51.980 --> 00:13:53.899 will write it if or case statement 00:13:53.899 --> 00:13:55.489 really mostly we light a key for case 00:13:55.489 --> 00:13:59.329 statement for eval based macro so case 00:13:59.329 --> 00:14:02.089 so that we can have different different 00:14:02.089 --> 00:14:03.470 condition and based on the condition we 00:14:03.470 --> 00:14:05.239 will be returning the search string but 00:14:05.239 --> 00:14:07.220 ultimately if you see we are in the 00:14:07.220 --> 00:14:09.019 start sitting only at the end of the day 00:14:09.019 --> 00:14:11.029 so that Splunk will replace that macro 00:14:11.029 --> 00:14:13.399 with that search string so i'm saying i 00:14:13.399 --> 00:14:17.649 will provide argument here let's say 00:14:17.649 --> 00:14:21.170 same same argument name let's say so 00:14:21.170 --> 00:14:23.360 either i will provide gate channel or i 00:14:23.360 --> 00:14:25.879 will provide main as my or argument 00:14:25.879 --> 00:14:27.980 value okay i'll show you how how i 00:14:27.980 --> 00:14:31.519 provide that one case i am saying my 00:14:31.519 --> 00:14:37.669 input taller this one dollar is equals 00:14:37.669 --> 00:14:42.860 to let us say gate channel okay as it is 00:14:42.860 --> 00:14:46.639 within quotes remember that if this one 00:14:46.639 --> 00:14:49.699 has to be quotes as well or when you are 00:14:49.699 --> 00:14:51.559 calling you have to call with this with 00:14:51.559 --> 00:14:53.839 course i prefer to be like this only so 00:14:53.839 --> 00:14:55.610 that everything is in your inside your 00:14:55.610 --> 00:14:58.699 macro only in that case the string I 00:14:58.699 --> 00:15:04.999 will return is this kind get Jenna star 00:15:04.999 --> 00:15:07.129 now you have to be very careful over 00:15:07.129 --> 00:15:10.459 here when you dil Dil with a generating 00:15:10.459 --> 00:15:11.869 command if you seek it generates a 00:15:11.869 --> 00:15:13.610 generating comment right thats why this 00:15:13.610 --> 00:15:15.019 has to be the first command in your 00:15:15.019 --> 00:15:19.869 search string now for generating comment 00:15:19.869 --> 00:15:22.549 when you run it if you see there is a 00:15:22.549 --> 00:15:25.220 bar over here search bar right after 00:15:25.220 --> 00:15:27.049 that only if I run this command without 00:15:27.049 --> 00:15:29.810 this word nothing will come up 00:15:29.810 --> 00:15:32.149 it requires this bar but when you put 00:15:32.149 --> 00:15:35.480 this gate Jenner star this generating 00:15:35.480 --> 00:15:38.959 command inside a macro so you put it 00:15:38.959 --> 00:15:41.089 without the bar so that when you call 00:15:41.089 --> 00:15:43.939 the macro you will call with bar then 00:15:43.939 --> 00:15:45.319 macro name I will show you that one as 00:15:45.319 --> 00:15:47.660 well but that's why I am giving without 00:15:47.660 --> 00:15:50.540 the bar here this is this has to be very 00:15:50.540 --> 00:15:53.110 careful with the generating comments 00:15:53.110 --> 00:15:55.309 because if you put bar inside it will 00:15:55.309 --> 00:16:01.069 not work now when my input is main ok in 00:16:01.069 --> 00:16:04.579 that case I will return the string 00:16:04.579 --> 00:16:10.309 called search index equals two main here 00:16:10.309 --> 00:16:12.620 also another good thing is when you run 00:16:12.620 --> 00:16:14.540 index equals two main from your search 00:16:14.540 --> 00:16:16.670 prompt right you do not need to mention 00:16:16.670 --> 00:16:18.680 search then index equals two main 00:16:18.680 --> 00:16:21.829 because that is by default comes up but 00:16:21.829 --> 00:16:23.899 when you use it in a macro or somewhere 00:16:23.899 --> 00:16:24.230 else 00:16:24.230 --> 00:16:27.110 you have to put it like this search then 00:16:27.110 --> 00:16:31.160 index equals to me okay so this thing I 00:16:31.160 --> 00:16:33.350 will be returning says my macro has one 00:16:33.350 --> 00:16:37.069 input so I will be giving one here okay 00:16:37.069 --> 00:16:39.230 validation we are not doing anything now 00:16:39.230 --> 00:16:44.389 so let's save it okay this is our third 00:16:44.389 --> 00:16:48.769 macro so get general or main see if I 00:16:48.769 --> 00:16:53.750 run this macro now okay so as I said it 00:16:53.750 --> 00:16:56.149 has a generating comment that's why I am 00:16:56.149 --> 00:16:59.959 giving a bar over here then my take and 00:16:59.959 --> 00:17:03.680 then my input let's say I will be giving 00:17:03.680 --> 00:17:09.530 input s get general I want to know I 00:17:09.530 --> 00:17:11.480 want to work with the data set to get 00:17:11.480 --> 00:17:21.220 channel okay so if let's see okay 00:17:21.220 --> 00:17:28.370 bracket this missing over here save now 00:17:28.370 --> 00:17:30.020 if you see if I run this macro again it 00:17:30.020 --> 00:17:31.640 is giving me same because sometimes it's 00:17:31.640 --> 00:17:34.520 not you don't take the refreshed value 00:17:34.520 --> 00:17:36.620 so what I will do in this case just copy 00:17:36.620 --> 00:17:41.690 this code close it Danny taking such 00:17:41.690 --> 00:17:43.340 Factory unknown search comma 00:17:43.340 --> 00:17:55.850 and case to see what's going on okay it 00:17:55.850 --> 00:17:58.280 has to be evil waste macro because it is 00:17:58.280 --> 00:18:01.190 running a string now right so let's say 00:18:01.190 --> 00:18:10.760 wait and let it is not okay now if you 00:18:10.760 --> 00:18:13.910 see if I run this gate general macro so 00:18:13.910 --> 00:18:15.410 it is giving me this data set where it 00:18:15.410 --> 00:18:17.230 is running that gate general Starr 00:18:17.230 --> 00:18:19.130 generating command and giving me this 00:18:19.130 --> 00:18:23.510 result if I say main in this case it is 00:18:23.510 --> 00:18:26.090 giving me this data set where I have 00:18:26.090 --> 00:18:29.750 index my data so this is how you can 00:18:29.750 --> 00:18:33.020 create a evil waste macro okay so now 00:18:33.020 --> 00:18:36.770 macro has a diff separate permissions as 00:18:36.770 --> 00:18:39.590 well if you see from this macro macro 00:18:39.590 --> 00:18:44.090 list page you can and you can set the 00:18:44.090 --> 00:18:46.430 permissions as well so currently I will 00:18:46.430 --> 00:18:48.050 show you I will set this permission as 00:18:48.050 --> 00:18:50.330 this upon't Li and read I will say 00:18:50.330 --> 00:18:52.940 everyone and right let's say admin let's 00:18:52.940 --> 00:18:57.380 do it for all the macros permission so 00:18:57.380 --> 00:18:58.520 you have to be very careful with the 00:18:58.520 --> 00:19:02.480 macro permissions as well otherwise any 00:19:02.480 --> 00:19:04.520 unprivileged user will not be able to 00:19:04.520 --> 00:19:07.100 run this macro and your dashboard will 00:19:07.100 --> 00:19:11.890 not show up anything so read/write okay 00:19:11.890 --> 00:19:14.330 now we have set the permissions of the 00:19:14.330 --> 00:19:17.120 macro as well now let's see what's going 00:19:17.120 --> 00:19:19.490 on at the background so I am in my 00:19:19.490 --> 00:19:24.020 Splunk home I will go to a TC apps tmdb 00:19:24.020 --> 00:19:26.990 F and I will go to my local folder if 00:19:26.990 --> 00:19:28.970 you see whenever you creates a macro 00:19:28.970 --> 00:19:31.220 it's creates a another Khan file called 00:19:31.220 --> 00:19:34.100 macro scones I will open this file and 00:19:34.100 --> 00:19:37.190 if you see all different macros we have 00:19:37.190 --> 00:19:39.080 created its gate separate separate 00:19:39.080 --> 00:19:43.040 stanza for that macro name and with all 00:19:43.040 --> 00:19:45.920 the input numbers right and args is the 00:19:45.920 --> 00:19:49.070 inputs of this macros wait for bonus if 00:19:49.070 --> 00:19:52.820 you see here for bonus my arguments are 00:19:52.820 --> 00:19:55.520 VPN bonus like two arguments those are 00:19:55.520 --> 00:19:56.840 showing up here this 00:19:56.840 --> 00:19:59.240 the macro definition this is the error 00:19:59.240 --> 00:20:02.029 message you set it for this macro this 00:20:02.029 --> 00:20:03.320 is the validation you have set it for 00:20:03.320 --> 00:20:06.470 this macro and this is evil is telling 00:20:06.470 --> 00:20:08.480 you whether this macro is well based or 00:20:08.480 --> 00:20:10.909 not as our last macro get general or 00:20:10.909 --> 00:20:13.789 main is evil ways that Troy is evil is 00:20:13.789 --> 00:20:16.130 one for rest of the - macros easy well 00:20:16.130 --> 00:20:21.080 is zero okay now you can you can call a 00:20:21.080 --> 00:20:23.779 macro another inside another macro so to 00:20:23.779 --> 00:20:26.690 do that let's do this exercise where we 00:20:26.690 --> 00:20:28.490 have created these totals energy right 00:20:28.490 --> 00:20:29.929 and also bonus 00:20:29.929 --> 00:20:31.940 so inside total Cirelli we will try to 00:20:31.940 --> 00:20:35.059 call this bonus one who do that I will 00:20:35.059 --> 00:20:37.549 do one thing I will clone this total 00:20:37.549 --> 00:20:40.309 celery macro no I like this let's let's 00:20:40.309 --> 00:20:43.870 get a new one only it's a total salary 00:20:43.870 --> 00:20:48.460 total salary 00:20:49.779 --> 00:20:50.990 yv2 00:20:50.990 --> 00:20:53.870 version - okay so what I will do it will 00:20:53.870 --> 00:20:57.200 not be well based macro let's say my 00:20:57.200 --> 00:21:01.850 previous will be there he well right so 00:21:01.850 --> 00:21:06.200 it has two arguments basic salary and 00:21:06.200 --> 00:21:11.149 variable percent right now I'll be 00:21:11.149 --> 00:21:14.419 adding this bonus as well so bonus 00:21:14.419 --> 00:21:16.279 requires another extra input called 00:21:16.279 --> 00:21:19.460 bonus right so I will be adding this as 00:21:19.460 --> 00:21:23.179 a extra input comma this so my total 00:21:23.179 --> 00:21:27.020 macro inputs will be three basic salary 00:21:27.020 --> 00:21:29.750 and variable pay will be he'll be used 00:21:29.750 --> 00:21:33.020 here and variable pay and bonus will be 00:21:33.020 --> 00:21:35.659 used in another evil statement which we 00:21:35.659 --> 00:21:37.730 have which will be a calling in this 00:21:37.730 --> 00:21:40.760 bonus macro right so in this case I will 00:21:40.760 --> 00:21:44.360 be calling this bonus macro inside so 00:21:44.360 --> 00:21:48.830 I'll say this one pipe then my bonus 00:21:48.830 --> 00:21:51.549 macro bonus macro takes two arguments 00:21:51.549 --> 00:21:54.830 one is variable percent and another is 00:21:54.830 --> 00:21:59.659 bonus so variable percent I'll pass and 00:21:59.659 --> 00:22:04.370 I'll pass this bonus as well so ideally 00:22:04.370 --> 00:22:06.740 the behavior should be same as we have 00:22:06.740 --> 00:22:10.530 seen before right so 00:22:10.530 --> 00:22:18.750 done tick okay so now let's save it okay 00:22:18.750 --> 00:22:21.690 so total sir I do so before before I do 00:22:21.690 --> 00:22:27.030 that so let us run our macro so I'll 00:22:27.030 --> 00:22:31.669 just copy paste that code portion here 00:22:31.669 --> 00:22:35.850 right so I'll just copy paste this code 00:22:35.850 --> 00:22:37.880 portion here 00:22:37.880 --> 00:22:41.190 it's a macro total salary nan okay I 00:22:41.190 --> 00:22:47.390 think total I am my macro is total 7 00:22:54.260 --> 00:23:00.000 this mismatch parenthesis okay okay so 00:23:00.000 --> 00:23:03.000 it has created this one in this new new 00:23:03.000 --> 00:23:06.330 field in the new search field what I 00:23:06.330 --> 00:23:09.510 will do is on after this one 00:23:09.510 --> 00:23:13.020 I will be calling my total salary 00:23:13.020 --> 00:23:16.020 version 2 macro okay what it is doing 00:23:16.020 --> 00:23:18.480 the work of both of these 2 bonus and 00:23:18.480 --> 00:23:20.880 total salary right so total salary 00:23:20.880 --> 00:23:26.640 version - okay so my tick version 2 00:23:26.640 --> 00:23:29.580 version 2 requires three arguments one 00:23:29.580 --> 00:23:32.220 is my basic salary variable percent and 00:23:32.220 --> 00:23:35.039 the similar person value I will gives 8 00:23:35.039 --> 00:23:36.929 so that we can at least compare what's 00:23:36.929 --> 00:23:41.340 the outputs so if I run this one see if 00:23:41.340 --> 00:23:42.720 it is it is working in the same way 00:23:42.720 --> 00:23:45.150 where it is getting this bonus field and 00:23:45.150 --> 00:23:46.860 total salary and if you see the output 00:23:46.860 --> 00:23:49.549 is same as well 00:23:49.549 --> 00:23:53.700 15:22 we have given seven here okay 00:23:53.700 --> 00:23:57.600 let's let's run it with seven only see 00:23:57.600 --> 00:23:59.159 if you see fifteen twenty two twenty two 00:23:59.159 --> 00:24:01.770 twenty seventeen ten seventy like this 00:24:01.770 --> 00:24:05.610 okay so this is how you can call a macro 00:24:05.610 --> 00:24:08.370 inside another macro as well so if you 00:24:08.370 --> 00:24:11.940 see here by by by by this structure you 00:24:11.940 --> 00:24:14.850 can achieve a very complex structure as 00:24:14.850 --> 00:24:18.179 well and complex structure which which 00:24:18.179 --> 00:24:20.250 is basically a useable component in 00:24:20.250 --> 00:24:24.210 Splunk search query okay so this is how 00:24:24.210 --> 00:24:26.520 you need to know basically to deal with 00:24:26.520 --> 00:24:29.790 macros and macros are very useful in 00:24:29.790 --> 00:24:32.760 Splunk because not only it it it gives 00:24:32.760 --> 00:24:36.240 you the modularity approach but also 00:24:36.240 --> 00:24:38.820 it's it's is give you the very shorter 00:24:38.820 --> 00:24:41.070 search string and very readable course 00:24:41.070 --> 00:24:45.350 as well ok see you in next video