Okay. Today, we'll discuss Splunk
macros. Okay. So, Splunk macros--you can
think of them as reusable components in
your Splunk search where, suppose a
particular search portion is
if you used many times, then you
can put it in a macro so that you can
call that macro, and the macro will be
replaced at runtime with that search string.
Okay? So, macros are very, very useful when,
suppose you have many dashboards in your
application. And in all these dashboards, you
have some search which is running in all
the dashboards. Right? So, in this case, you
can implement that search portion in a
macro so that you can just call that macro
instead of using the whole search string in
your dashboards. So, in the future, if you
want to make any changes in that search
logic, we'll just change it in
one place--in that macro body. Okay?
So, by implementing a macro, basically, we
are achieving two things. One is the
modularity of your code--easy
maintenance of your code--as well as
your search string will be much
smaller. Okay? So, there are
two different types of macros we
generally deal with. One is an eval-based
macro, and another is a non-eval-based
macro. So, before we discuss those things,
let me show you the data I have here.
So, I have some people's names, their
basic salary, and variable percent. So,
I'll show you how to create an eval-based macro,
how to create a non-eval-based
macro, what the differences are
between them, and then how to call a
macro instead of the macro also. We'll try to
discuss that one. Because first, let us
see how we can create a non-eval macro.
So now, an eval macro and a non-eval macro--
if you see functionality-wise, both are the
same. So, when we define a macro--the macro
body--you are giving the search string. Right? So,
dynamically at runtime, that
macro will be replaced
by that macro body by Splunk search.
Okay? Now, when we talk about eval-based
macros, it is expected that the macro is
returning a string. When you use a non-eval-based macro,
you can directly put the
search string inside the macro. So, let me
show you. Suppose I want to calculate
total salary based on this formula:
called basic salary. Let me show you.
Basic salary plus basic into the
percentage--variable
percent. Okay? So, to do that--to create any
macro from the Splunk UI--this is how you
do it. You'll go to Settings. We go to
Advanced Search. Okay? From there, if you
see, there is an option called Search Macros.
You go there. You select your app
from there. So, I'll be creating this
macro in my TMDB app. So, I have selected
TMDB over here, then New Search Macro.
Okay? If you see the destination, I've
already selected it as TMDB. I'll give it a
name. Let's say, total salary. Okay? So now,
whether a macro is eval-based or not is
determined by this checkbox. If you
check this one, it will be an eval-based
macro. If you don't check this one,
it will be a non-eval-based macro. So
first, we'll discuss the non-eval-based macro.
So, what I am trying to say
is--whenever we
are creating a non-eval-based macro, we
can directly give a search string over
there. So, my search string will be
something like this. I'll be creating a
new field called total salary. So, that's
why eval total_salary =. Now,
I'll be passing this to my basic
salary and variable percent to this
macro. Right? To do that, what I'll do
is create arguments for this macro:
basic salary. So, in the argument
section, you'll be giving
these two things: basic salary and
variable percent. That's two arguments. As the
macro has two arguments, it is mandatory
that in this Name section, you give how
many number of arguments you have in
your macro. If it is one, you have to give
one here. Okay? Now the formula is: my
basic salary. Now, this basic salary is my
input variable. Right? So, to access input
variables, you access like this--just like
a token. Okay? Basic salary plus my basic
salary into that variable percent. Again,
as input, I am accessing. Right? Then
divided by 100. So, this will be my
macro body. Now, there are two options
for Validation Expression and Validation
Error Message. I will show you in the
next macro. So, if I save it--okay.
So, if you see, the macro has been created.
Now, if I call this macro over here--so to
call a macro, this is how you call: there
is a tick mark, if you see, okay, from your
keyboard, then the macro name--total
salary--and it has two arguments, right? My
basic salary and my variable percent,
then tick end. Now, this basic salary
corresponds to this basic salary, and
variable percent corresponds to this
variable percent field.
Now, when you define the macro, I have
given the same name as the macro input. You
can give any input variable name
over here. The same name you have to use
over here as well. But when you pass the
macro--pass this with basic salary and variable
percent to this macro--you'll be giving
the field names only. Okay?
So, let us run it and see what's going on.
If you see, it has created a total salary
field with this formula output--4,000 plus
4,000 into 15% is 4,600. Right? So, it is
basically the same as what is
happening at runtime. So, if
instead of total salary, I just gave
this one, and instead of this token
variable, I just gave my field name here,
the output will be the same--variable percent.
The output will be the same. So, this is also
what is happening as well. So, at runtime,
Splunk is replacing this macro body with
these variable inputs, and then it is
running the query. So ultimately, this
query is getting run. Okay? But the
thing is--this code, if you put it in
a macro--you can call that macro anywhere
in usage. So that means this code
portion will be reusable now. Okay? Now,
let's see an example where we can use
this validation expression and
validation error message. Now,
validation expression is used when you
want to do some kind of validation on
your macro inputs. Okay? And validation
error message means when this input is
getting--or this validation is getting--
failed, this error message will be
displayed over there. So, to do that, what
I'll do is create another macro.
Okay? So now, let's say, we have basic
salary and variable percent. Right? Let's
say we want to calculate a bonus
percentage with this formula: called
variable percent plus any other percent--
any number. Let's say, any number--
7% or 8%, any number
I’ll put for our inputs. It'll give me--it'll
add those two percentage values and
give me the bonus percent. Okay? So, to do
that, I'll just create that similar
macro named "bonus."
Okay? So, the formula will be--again--it
will be non-eval-based. Okay? eval bonus =.
So, my variable percent, right,
I have to provide as an input, so I'll be
giving input. So, let's say this time I
will rename this to something--VP. So,
I'll say $VP$, then plus
another input I'll be giving--let's say,
bonus input. Okay? So, this bonus, I'll be
adding here. Okay. Bonus. So, we have two
inputs. That means we have to give two
over here. Now I'll add an expression. Now,
I always want this bonus to be a number.
Okay? To do that--so, this validation
expression has to be a Boolean
expression or eval. Okay? So, if you saw my
previous video, we discussed the
various eval expressions. Right? And some
of the expressions return Boolean--like
the like operator, in operator, or
isnum operator, which basically checks
whether a particular input is a number or
not. So, we'll be using isnum over
here on this bonus. That means I am
checking whether whatever I am providing
as input to this bonus variable
parameter is a number or not. If
it is not a number, I'll give this
output error message: "Bonus must
be a number." Okay?
So, let's save this macro. Okay? Now I will
call this macro here. Let it be--my total
salary macro called as--is. If I just do
Ctrl+C--
okay. Here, I am calling my total salary. So
just tick the output. Now, after that, I'll
be calling the bonus macro. Right? So,
similar way: tick, macro name, macro
inputs. One of the inputs will be my
variable percent, and another
input maybe--let's say, 8% I want
to add to the variable percent. So, what
will be the output? In this case, it should
create a new field called "bonus" with 15
plus 8, 20 plus 8—something like this.
Okay? If you see, you can
access different macros in
your whole search. Okay? Now, let's say I
have provided a string here--it says test.
Okay. What is happening? So, if you provide
a string here, that validation is
getting failed. We have added over here
isnum. So, that's why it is giving you this
error: "Bonus must be a number." So, this is
how macro input validation works. Okay. Let
us continue. Now, we will discuss
how to create an eval macro. So, to do
that, what we'll do is--first, let me show
you two things. If you remember from my
previous video, we created a command
called getjournals. Right? And that
command takes an input with the journal
ID. And if we are not giving any journal
ID and we are giving *, it will give you all
the journal details. Right? And also, we
have... We have created a...
We have indexed our data into this main index.
Right? So, we have another dataset
called "main" where we are having
this salary and this information. Just
now we are working with this dataset. So,
suppose there is a requirement that,
based on a certain condition, either I need
to go with this dataset or I need to go
with that dataset. In this type of
scenario--where dynamically you have to
determine which dataset to work on, or
dynamically determine
which search string to return--
eval macros
come into the picture. Okay? Because the
main concept behind an eval macro is it has
to return a string. So, in that case, how
you will create it is like this. Let's say,
new search macro. I'll give a name called
getjournal_or_mainindex. Okay? Just
like a name to show you the use
case of it. So, here, what I will write--
I’ll write an if or case statement. Generally,
we mostly write an if or case
statement for eval-based macros,
so that we can have different
conditions, and based on the condition, we
return the search string. But
ultimately, if you see, we’re returning the
search string only at the end of the day--
so that Splunk will replace that macro
with that search string. So, I’m saying I’ll
provide the argument here. Let’s say,
same argument name. So,
either I’ll provide getjournal, or I’ll
provide main as my argument
value. Okay? I’ll show you how I
provide that one.
case($input$ == "getjournal", "getjournals *", $input$ == "main", "search index=main")
As it is within quotes, remember that this one
has to be in quotes as well. Or, when you are
calling it, you have to call with
quotes. I prefer it like this only so
that everything is inside your
macro. In that case, the string I
will return is this command: getjournals *.
Now, you have to be very careful over
here when you deal with a generating
command. If you see, getjournals is a
generating command. Right? That’s why this
has to be the first command in your
search string. Now, for generating commands,
when you run it--if you see--there is a
bar (|) over here in the search bar. Right? After
that only, if I run this command without
this bar, nothing will come up. So,
it requires this bar. But when you put
this getjournals *--this generating
command--inside a macro, you put it
without the bar, so that when you call
the macro, you’ll call with | then
macro name. I’ll show you that one as
well. That’s why I’m giving it without
the bar here. This is important--you have to be very
careful with generating commands.
Because if you put the bar inside, it will
not work. Now, when my input is "main"--okay--in
that case, I will return the string
called search index=main. Here
also, another good thing is when you run
index=main from your search
prompt, you do not need to mention
search then index=main,
because that comes by default. But
when you use it in a macro or somewhere
else,
you have to put it like this: search
index=main. Okay? So, this string I’ll
be returning. Since the macro has one
input, I’ll be giving 1 here. Okay? For now,
validation. We are not doing anything,
so let’s save it. Okay? This is our third
macro--getjournal_or_main. So, if I
run this macro now--okay--as I said, it
has a generating command, that’s why I’m
giving a bar over here, then my tick, and
then my input. Let’s say I’ll be giving
input as getjournal. I
want to work with the dataset getjournal. Okay?
Let’s see. Okay. I have a
bracket that’s missing over here. Save.
If you see, if I run this macro again, it
is giving me the same because sometimes it
doesn’t take the refreshed value.
So, what I’ll do in this case--just copy
this code, close it, run it again.
SearchFactory Unknown search command
'case'. Let’s see what’s going on. Okay. It
has to be an eval-based macro because it is
returning a string now. Right? So, let’s
save it, and let’s rerun it. Okay. It is not-- Okay. Now, if you
see, if I run this getjournal macro,
it is giving me this dataset where it
is running that getjournal *
generating command and giving me this
result. If I say main, in this case, it is
giving me this dataset where I have
indexed my data. So, this is how you can
create an eval-based macro. Okay? So now,
macros have different permissions as
well. If you see from this macro
list page, you can set the
permissions as well. So currently, I'll
show you. I'll set this permission as
"this app only" and read--I'll say
everyone, and write--let's say, admin. Let's
do it for all the macro permissions. So,
you have to be very careful with the
macro permissions as well. Otherwise, any
unprivileged user will not be able to
run this macro, and your dashboard will
not show up anything. So, read--right. Okay.
Now, we have set the permissions of the
macro as well. Now, let's see what's going
on in the background. So, I am in my
Splunk home. I'll go to etc/apps/tmdb_app/,
and I'll go to my local folder. If
you see, whenever you create a macro,
it creates another conf file called
macros.conf. I'll open this file. And
if you see all the different macros we have
created, it creates separate
stanzas for each macro name with all
the input numbers. Right? And args are the
inputs of these macros. Right? For bonus, if
you see here, my arguments are
VP and bonus. Right? Two arguments--those are
showing up here. This is
the macro definition. This is the error
message you set for this macro. This
is the validation you have set for
this macro. And iseval is telling
you whether this macro is eval-based or
not. As our last macro, getjournal_or_main,
is eval-based, that's why iseval is
1. For the rest of the two macros, iseval
is 0. Okay? Now, you can call a
macro inside another macro. So, to
do that, let's do this exercise where we
have created this totalsalary, right?
And also bonus.
So, inside totalsalary, we'll try to
call this bonus one. To do that, I'll
do one thing. I'll clone this totalsalary macro.
No--let's just
get a new one only. Let's say, totalsalary_v2 (version two).
Okay? So, what I will do--it will
not be an eval-based macro. Let's say my
previous one was eval, right? So,
it has two arguments: basic_salary and
variable_percent. Right? Now, I'll be
adding this bonus as well. So, bonus
requires another extra input called
bonus, right? So, I'll be adding this as
an extra input--comma, this. So, my total
macro inputs will be three. basic_salary
and variable_percent will be used
here, and variable_percent and bonus will be
used in another eval statement,
which you'll be calling in this
bonus macro. Right? So, in this case, I'll
be calling this bonus macro inside. So,
I'll set this one—pipe, then my bonus
macro. bonus macro takes two arguments.
One is variable_percent, and another is
bonus. So, variable_percent I'll pass, and
I'll pass this bonus as well. So, ideally,
the behavior should be the same as we have
seen before. Right? So,
done. Tick. Okay. Now, let's save it. Okay.
So, totalsalary_v2. So, before we do
that, let us run our macro. So, I'll
just copy-paste that code portion here.
Right. So, I'll just copy-paste this code
portion here.
It's mac_totalsalary_non--okay, I
think my macro is totalsalary. It
It has mismatched parenthesis. Okay. Okay. So,
it has created this one. In this new
field, in the new search field, what I'll
do is--after this one--
I'll be calling my totalsalary_v2 macro.
Okay? Where it is doing
the work of both of these two--bonus and
totalsalary. Right? So, totalsalary_v2.
Okay. So, my tick--v2. v2
requires three arguments. One
is my basic_salary, variable_percent, and
the similar percent value--I'll give 8
so that we can at least compare
the outputs. So, if I run this one--see--
it is working in the same way,
where it is getting this bonus field and
totalsalary. And if you see, the output
is same as well.
$15.22. We have given 7 here. Okay.
Let's run it with 7 only. So,
if you see--15.22, 20.22, 17.10, 17 like this.
Okay? So, this is how you can call a macro
inside another macro as well. So, if you
see here, by this structure, you
can achieve a very complex structure as
well--a complex structure which
is basically a reusable component in
Splunk search queries. Okay? So, this is what
you need to know, basically, to deal with
macros. And macros are very useful in
Splunk because not only do they give
you the modularity approach, but also
they give you a very short
search string and very readable code as well.
Okay? See you in the next video.