0:00:00.030,0:00:02.939
Okay. Today, we'll discuss Splunk

0:00:02.939,0:00:06.240
macros. Okay. So, Splunk macros--you can

0:00:06.240,0:00:09.090
think of them as reusable components in

0:00:09.090,0:00:12.960
your Splunk search where, suppose a

0:00:12.960,0:00:15.870
particular search portion is

0:00:15.870,0:00:18.930
if you used many times, then you

0:00:18.930,0:00:20.460
can put it in a macro so that you can

0:00:20.460,0:00:23.580
call that macro, and the macro will be

0:00:23.580,0:00:26.310
replaced at runtime with that search string.

0:00:26.310,0:00:28.920
Okay? So, macros are very, very useful when,

0:00:28.920,0:00:31.890
suppose you have many dashboards in your

0:00:31.890,0:00:34.590
application. And in all these dashboards, you

0:00:34.590,0:00:38.670
have some search which is running in all

0:00:38.670,0:00:41.610
the dashboards. Right? So, in this case, you

0:00:41.610,0:00:43.410
can implement that search portion in a

0:00:43.410,0:00:45.680
macro so that you can just call that macro

0:00:45.680,0:00:47.850
instead of using the whole search string in

0:00:47.850,0:00:50.370
your dashboards. So, in the future, if you

0:00:50.370,0:00:52.440
want to make any changes in that search

0:00:52.440,0:00:55.140
logic, we'll just change it in

0:00:55.140,0:00:58.530
one place--in that macro body. Okay?

0:00:58.530,0:01:01.350
So, by implementing a macro, basically, we

0:01:01.350,0:01:04.170
are achieving two things. One is the

0:01:04.170,0:01:06.930
modularity of your code--easy

0:01:06.930,0:01:09.630
maintenance of your code--as well as

0:01:09.630,0:01:11.250
your search string will be much

0:01:11.250,0:01:15.720
smaller. Okay? So, there are

0:01:15.720,0:01:18.689
two different types of macros we

0:01:18.689,0:01:20.580
generally deal with. One is an eval-based

0:01:20.580,0:01:23.189
macro, and another is a non-eval-based

0:01:23.189,0:01:26.400
macro. So, before we discuss those things,

0:01:26.400,0:01:29.790
let me show you the data I have here.

0:01:29.790,0:01:32.909
So, I have some people's names, their

0:01:32.909,0:01:36.270
basic salary, and variable percent. So,

0:01:36.270,0:01:40.670
I'll show you how to create an eval-based macro,

0:01:40.670,0:01:42.420
how to create a non-eval-based

0:01:42.420,0:01:43.710
macro, what the differences are

0:01:43.710,0:01:47.939
between them, and then how to call a

0:01:47.939,0:01:49.860
macro instead of the macro also. We'll try to

0:01:49.860,0:01:52.470
discuss that one. Because first, let us

0:01:52.470,0:01:56.759
see how we can create a non-eval macro.

0:01:56.759,0:02:00.409
So now, an eval macro and a non-eval macro--

0:02:00.409,0:02:03.600
if you see functionality-wise, both are the

0:02:03.600,0:02:07.020
same. So, when we define a macro--the macro

0:02:07.020,0:02:09.890
body--you are giving the search string. Right? So,

0:02:09.890,0:02:12.900
dynamically at runtime, that

0:02:12.900,0:02:15.670
macro will be replaced

0:02:15.670,0:02:18.160
by that macro body by Splunk search.

0:02:18.160,0:02:22.810
Okay? Now, when we talk about eval-based

0:02:22.810,0:02:26.500
macros, it is expected that the macro is

0:02:26.500,0:02:31.050
returning a string. When you use a non-eval-based macro,

0:02:31.050,0:02:32.140
you can directly put the

0:02:32.140,0:02:34.210
search string inside the macro. So, let me

0:02:34.210,0:02:37.240
show you. Suppose I want to calculate

0:02:37.240,0:02:40.000
total salary based on this formula:

0:02:40.000,0:02:43.240
called basic salary. Let me show you.

0:02:43.240,0:02:50.340
Basic salary plus basic into the

0:02:50.340,0:02:54.160
percentage--variable

0:02:54.160,0:02:58.390
percent. Okay? So, to do that--to create any

0:02:58.390,0:03:01.180
macro from the Splunk UI--this is how you

0:03:01.180,0:03:03.850
do it. You'll go to Settings. We go to

0:03:03.850,0:03:08.170
Advanced Search. Okay? From there, if you

0:03:08.170,0:03:11.560
see, there is an option called Search Macros.

0:03:11.560,0:03:13.270
You go there. You select your app

0:03:13.270,0:03:15.520
from there. So, I'll be creating this

0:03:15.520,0:03:17.800
macro in my TMDB app. So, I have selected

0:03:17.800,0:03:20.850
TMDB over here, then New Search Macro.

0:03:20.850,0:03:23.709
Okay? If you see the destination, I've

0:03:23.709,0:03:26.410
already selected it as TMDB. I'll give it a

0:03:26.410,0:03:36.150
name. Let's say, total salary. Okay? So now,

0:03:36.150,0:03:39.220
whether a macro is eval-based or not is

0:03:39.220,0:03:41.200
determined by this checkbox. If you

0:03:41.200,0:03:43.020
check this one, it will be an eval-based

0:03:43.020,0:03:45.489
macro. If you don't check this one,

0:03:45.489,0:03:48.220
it will be a non-eval-based macro. So

0:03:48.220,0:03:50.670
first, we'll discuss the non-eval-based macro.

0:03:50.670,0:03:51.730
So, what I am trying to say

0:03:51.730,0:03:55.180
is--whenever we

0:03:55.180,0:03:57.459
are creating a non-eval-based macro, we

0:03:57.459,0:03:59.110
can directly give a search string over

0:03:59.110,0:04:01.270
there. So, my search string will be

0:04:01.270,0:04:03.160
something like this. I'll be creating a

0:04:03.160,0:04:05.890
new field called total salary. So, that's

0:04:05.890,0:04:13.510
why eval total_salary =. Now,

0:04:13.510,0:04:17.380
I'll be passing this to my basic

0:04:17.380,0:04:19.870
salary and variable percent to this

0:04:19.870,0:04:22.720
macro. Right? To do that, what I'll do

0:04:22.720,0:04:26.080
is create arguments for this macro:

0:04:26.080,0:04:28.300
basic salary. So, in the argument

0:04:28.300,0:04:32.550
section, you'll be giving

0:04:32.550,0:04:35.710
these two things: basic salary and

0:04:35.710,0:04:40.360
variable percent. That's two arguments. As the

0:04:40.360,0:04:42.789
macro has two arguments, it is mandatory

0:04:42.789,0:04:46.780
that in this Name section, you give how

0:04:46.780,0:04:48.819
many number of arguments you have in

0:04:48.819,0:04:50.830
your macro. If it is one, you have to give

0:04:50.830,0:04:55.629
one here. Okay? Now the formula is: my

0:04:55.629,0:04:59.139
basic salary. Now, this basic salary is my

0:04:59.139,0:05:03.009
input variable. Right? So, to access input

0:05:03.009,0:05:04.780
variables, you access like this--just like

0:05:04.780,0:05:11.770
a token. Okay? Basic salary plus my basic

0:05:11.770,0:05:21.159
salary into that variable percent. Again,

0:05:21.159,0:05:26.319
as input, I am accessing. Right? Then

0:05:26.319,0:05:29.849
divided by 100. So, this will be my

0:05:29.849,0:05:33.759
macro body. Now, there are two options

0:05:33.759,0:05:35.229
for Validation Expression and Validation

0:05:35.229,0:05:36.580
Error Message. I will show you in the

0:05:36.580,0:05:42.400
next macro. So, if I save it--okay.

0:05:42.400,0:05:44.909
So, if you see, the macro has been created.

0:05:44.909,0:05:49.509
Now, if I call this macro over here--so to

0:05:49.509,0:05:51.520
call a macro, this is how you call: there

0:05:51.520,0:05:54.400
is a tick mark, if you see, okay, from your

0:05:54.400,0:06:01.060
keyboard, then the macro name--total

0:06:01.060,0:06:04.690
salary--and it has two arguments, right? My

0:06:04.690,0:06:08.699
basic salary and my variable percent,

0:06:08.699,0:06:13.150
then tick end. Now, this basic salary

0:06:13.150,0:06:15.129
corresponds to this basic salary, and

0:06:15.129,0:06:16.719
variable percent corresponds to this

0:06:16.719,0:06:18.069
variable percent field.

0:06:18.069,0:06:21.279
Now, when you define the macro, I have

0:06:21.279,0:06:23.050
given the same name as the macro input. You

0:06:23.050,0:06:26.080
can give any input variable name

0:06:26.080,0:06:28.000
over here. The same name you have to use

0:06:28.000,0:06:30.580
over here as well. But when you pass the

0:06:30.580,0:06:33.759
macro--pass this with basic salary and variable

0:06:33.759,0:06:35.860
percent to this macro--you'll be giving

0:06:35.860,0:06:37.449
the field names only. Okay?

0:06:37.449,0:06:40.270
So, let us run it and see what's going on.

0:06:40.270,0:06:43.889
If you see, it has created a total salary

0:06:43.889,0:06:47.650
field with this formula output--4,000 plus

0:06:47.650,0:06:51.819
4,000 into 15% is 4,600. Right? So, it is

0:06:51.819,0:06:54.639
basically the same as what is

0:06:54.639,0:06:58.120
happening at runtime. So, if

0:06:58.120,0:07:00.099
instead of total salary, I just gave

0:07:00.099,0:07:04.300
this one, and instead of this token

0:07:04.300,0:07:07.960
variable, I just gave my field name here,

0:07:07.960,0:07:14.490
the output will be the same--variable percent.

0:07:14.490,0:07:18.520
The output will be the same. So, this is also

0:07:18.520,0:07:21.490
what is happening as well. So, at runtime,

0:07:21.490,0:07:25.060
Splunk is replacing this macro body with

0:07:25.060,0:07:28.029
these variable inputs, and then it is

0:07:28.029,0:07:29.710
running the query. So ultimately, this

0:07:29.710,0:07:32.740
query is getting run. Okay? But the

0:07:32.740,0:07:34.960
thing is--this code, if you put it in

0:07:34.960,0:07:36.909
a macro--you can call that macro anywhere

0:07:36.909,0:07:39.129
in usage. So that means this code

0:07:39.129,0:07:42.490
portion will be reusable now. Okay? Now,

0:07:42.490,0:07:46.149
let's see an example where we can use

0:07:46.149,0:07:47.680
this validation expression and

0:07:47.680,0:07:49.270
validation error message. Now,

0:07:49.270,0:07:51.699
validation expression is used when you

0:07:51.699,0:07:54.819
want to do some kind of validation on

0:07:54.819,0:08:00.279
your macro inputs. Okay? And validation

0:08:00.279,0:08:02.830
error message means when this input is

0:08:02.830,0:08:04.749
getting--or this validation is getting--

0:08:04.749,0:08:06.430
failed, this error message will be

0:08:06.430,0:08:09.459
displayed over there. So, to do that, what

0:08:09.459,0:08:14.639
I'll do is create another macro.

0:08:14.639,0:08:20.110
Okay? So now, let's say, we have basic

0:08:20.110,0:08:22.569
salary and variable percent. Right? Let's

0:08:22.569,0:08:24.789
say we want to calculate a bonus

0:08:24.789,0:08:27.669
percentage with this formula: called

0:08:27.669,0:08:32.349
variable percent plus any other percent--

0:08:32.349,0:08:35.620
any number. Let's say, any number--

0:08:35.620,0:08:37.930
7% or 8%, any number

0:08:37.930,0:08:40.539
I’ll put for our inputs. It'll give me--it'll

0:08:40.539,0:08:43.060
add those two percentage values and

0:08:43.060,0:08:45.610
give me the bonus percent. Okay? So, to do

0:08:45.610,0:08:48.279
that, I'll just create that similar

0:08:48.279,0:08:51.110
macro named "bonus."

0:08:52.110,0:08:56.680
Okay? So, the formula will be--again--it

0:08:56.680,0:09:09.570
will be non-eval-based. Okay? eval bonus =.

0:09:09.570,0:09:13.839
So, my variable percent, right,

0:09:13.839,0:09:16.270
I have to provide as an input, so I'll be

0:09:16.270,0:09:18.790
giving input. So, let's say this time I

0:09:18.790,0:09:21.610
will rename this to something--VP. So,

0:09:21.610,0:09:27.810
I'll say $VP$, then plus

0:09:27.810,0:09:30.580
another input I'll be giving--let's say,

0:09:30.580,0:09:36.540
bonus input. Okay? So, this bonus, I'll be

0:09:36.540,0:09:42.190
adding here. Okay. Bonus. So, we have two

0:09:42.190,0:09:44.080
inputs. That means we have to give two

0:09:44.080,0:09:47.440
over here. Now I'll add an expression. Now,

0:09:47.440,0:09:50.260
I always want this bonus to be a number.

0:09:50.260,0:09:53.589
Okay? To do that--so, this validation

0:09:53.589,0:09:55.690
expression has to be a Boolean

0:09:55.690,0:09:59.079
expression or eval. Okay? So, if you saw my

0:09:59.079,0:10:01.209
previous video, we discussed the

0:10:01.209,0:10:04.390
various eval expressions. Right? And some

0:10:04.390,0:10:06.160
of the expressions return Boolean--like

0:10:06.160,0:10:08.800
the like operator, in operator, or

0:10:08.800,0:10:11.770
isnum operator, which basically checks

0:10:11.770,0:10:15.220
whether a particular input is a number or

0:10:15.220,0:10:17.230
not. So, we'll be using isnum over

0:10:17.230,0:10:20.529
here on this bonus. That means I am

0:10:20.529,0:10:23.290
checking whether whatever I am providing

0:10:23.290,0:10:25.380
as input to this bonus variable

0:10:25.380,0:10:28.630
parameter is a number or not. If

0:10:28.630,0:10:32.350
it is not a number, I'll give this

0:10:32.350,0:10:36.670
output error message: "Bonus must

0:10:36.670,0:10:41.490
be a number." Okay?

0:10:41.490,0:10:50.110
So, let's save this macro. Okay? Now I will

0:10:50.110,0:10:56.950
call this macro here. Let it be--my total

0:10:56.950,0:11:01.779
salary macro called as--is. If I just do

0:11:01.779,0:11:03.530
Ctrl+C--

0:11:03.530,0:11:06.530
okay. Here, I am calling my total salary. So

0:11:06.530,0:11:08.930
just tick the output. Now, after that, I'll

0:11:08.930,0:11:14.930
be calling the bonus macro. Right? So,

0:11:14.930,0:11:17.960
similar way: tick, macro name, macro

0:11:17.960,0:11:19.760
inputs. One of the inputs will be my

0:11:19.760,0:11:22.820
variable percent, and another

0:11:22.820,0:11:25.790
input maybe--let's say, 8% I want

0:11:25.790,0:11:28.400
to add to the variable percent. So, what

0:11:28.400,0:11:30.770
will be the output? In this case, it should

0:11:30.770,0:11:33.560
create a new field called "bonus" with 15

0:11:33.560,0:11:35.780
plus 8, 20 plus 8—something like this.

0:11:35.780,0:11:39.400
Okay? If you see, you can

0:11:39.400,0:11:41.870
access different macros in

0:11:41.870,0:11:48.140
your whole search. Okay? Now, let's say I

0:11:48.140,0:11:52.570
have provided a string here--it says test.

0:11:52.570,0:11:55.280
Okay. What is happening? So, if you provide

0:11:55.280,0:11:57.770
a string here, that validation is

0:11:57.770,0:11:59.660
getting failed. We have added over here

0:11:59.660,0:12:02.450
isnum. So, that's why it is giving you this

0:12:02.450,0:12:05.510
error: "Bonus must be a number." So, this is

0:12:05.510,0:12:10.250
how macro input validation works. Okay. Let

0:12:10.250,0:12:15.280
us continue. Now, we will discuss

0:12:15.280,0:12:18.830
how to create an eval macro. So, to do

0:12:18.830,0:12:22.520
that, what we'll do is--first, let me show

0:12:22.520,0:12:24.920
you two things. If you remember from my

0:12:24.920,0:12:28.220
previous video, we created a command

0:12:28.220,0:12:31.940
called getjournals. Right? And that

0:12:31.940,0:12:33.800
command takes an input with the journal

0:12:33.800,0:12:36.410
ID. And if we are not giving any journal

0:12:36.410,0:12:38.780
ID and we are giving *, it will give you all

0:12:38.780,0:12:41.780
the journal details. Right? And also, we

0:12:41.780,0:12:47.630
have... We have created a...

0:12:47.630,0:12:50.750
We have indexed our data into this main index.

0:12:50.750,0:12:52.130
Right? So, we have another dataset

0:12:52.130,0:12:54.200
called "main" where we are having

0:12:54.200,0:12:56.270
this salary and this information. Just

0:12:56.270,0:12:58.520
now we are working with this dataset. So,

0:12:58.520,0:13:01.000
suppose there is a requirement that,

0:13:01.000,0:13:04.730
based on a certain condition, either I need

0:13:04.730,0:13:09.110
to go with this dataset or I need to go

0:13:09.110,0:13:11.330
with that dataset. In this type of

0:13:11.330,0:13:13.730
scenario--where dynamically you have to

0:13:13.730,0:13:15.980
determine which dataset to work on, or

0:13:15.980,0:13:17.329
dynamically determine

0:13:17.329,0:13:22.549
which search string to return--

0:13:22.549,0:13:25.100
eval macros

0:13:25.100,0:13:28.489
come into the picture. Okay? Because the

0:13:28.489,0:13:31.129
main concept behind an eval macro is it has

0:13:31.129,0:13:34.279
to return a string. So, in that case, how

0:13:34.279,0:13:36.410
you will create it is like this. Let's say,

0:13:36.410,0:13:39.529
new search macro. I'll give a name called

0:13:39.529,0:13:46.579
getjournal_or_mainindex. Okay? Just

0:13:46.579,0:13:48.679
like a name to show you the use

0:13:48.679,0:13:51.980
case of it. So, here, what I will write--

0:13:51.980,0:13:53.899
I’ll write an if or case statement. Generally,

0:13:53.899,0:13:55.489
we mostly write an if or case

0:13:55.489,0:13:59.329
statement for eval-based macros,

0:13:59.329,0:14:02.089
so that we can have different

0:14:02.089,0:14:03.470
conditions, and based on the condition, we

0:14:03.470,0:14:05.239
return the search string. But

0:14:05.239,0:14:07.220
ultimately, if you see, we’re returning the

0:14:07.220,0:14:09.019
search string only at the end of the day--

0:14:09.019,0:14:11.029
so that Splunk will replace that macro

0:14:11.029,0:14:13.399
with that search string. So, I’m saying I’ll

0:14:13.399,0:14:17.649
provide the argument here. Let’s say,

0:14:17.649,0:14:21.170
same argument name. So,

0:14:21.170,0:14:23.360
either I’ll provide getjournal, or I’ll

0:14:23.360,0:14:25.879
provide main as my argument

0:14:25.879,0:14:27.980
value. Okay? I’ll show you how I

0:14:27.980,0:14:29.289
provide that one.

0:14:29.289,0:14:42.340
case($input$ == "getjournal", "getjournals *", $input$ == "main", "search index=main")

0:14:42.340,0:14:46.639
As it is within quotes, remember that this one

0:14:46.639,0:14:49.699
has to be in quotes as well. Or, when you are

0:14:49.699,0:14:51.559
calling it, you have to call with

0:14:51.559,0:14:53.839
quotes. I prefer it like this only so

0:14:53.839,0:14:55.610
that everything is inside your

0:14:55.610,0:14:58.699
macro. In that case, the string I

0:14:58.699,0:15:04.999
will return is this command: getjournals *.

0:15:04.999,0:15:07.129
Now, you have to be very careful over

0:15:07.129,0:15:10.459
here when you deal with a generating

0:15:10.459,0:15:11.869
command. If you see, getjournals is a

0:15:11.869,0:15:13.610
generating command. Right? That’s why this

0:15:13.610,0:15:15.019
has to be the first command in your

0:15:15.019,0:15:19.869
search string. Now, for generating commands,

0:15:19.869,0:15:22.549
when you run it--if you see--there is a

0:15:22.549,0:15:25.220
bar (|) over here in the search bar. Right? After

0:15:25.220,0:15:27.049
that only, if I run this command without

0:15:27.049,0:15:29.810
this bar, nothing will come up. So,

0:15:29.810,0:15:32.149
it requires this bar. But when you put

0:15:32.149,0:15:35.480
this getjournals *--this generating

0:15:35.480,0:15:38.959
command--inside a macro, you put it

0:15:38.959,0:15:41.089
without the bar, so that when you call

0:15:41.089,0:15:43.939
the macro, you’ll call with | then

0:15:43.939,0:15:45.319
macro name. I’ll show you that one as

0:15:45.319,0:15:47.660
well. That’s why I’m giving it without

0:15:47.660,0:15:50.540
the bar here. This is important--you have to be very

0:15:50.540,0:15:53.110
careful with generating commands.

0:15:53.110,0:15:55.309
Because if you put the bar inside, it will

0:15:55.309,0:16:01.069
not work. Now, when my input is "main"--okay--in

0:16:01.069,0:16:04.579
that case, I will return the string

0:16:04.579,0:16:10.309
called search index=main. Here

0:16:10.309,0:16:12.620
also, another good thing is when you run

0:16:12.620,0:16:14.540
index=main from your search

0:16:14.540,0:16:16.670
prompt, you do not need to mention

0:16:16.670,0:16:18.680
search then index=main,

0:16:18.680,0:16:21.829
because that comes by default. But

0:16:21.829,0:16:23.899
when you use it in a macro or somewhere

0:16:23.899,0:16:24.230
else,

0:16:24.230,0:16:27.110
you have to put it like this: search

0:16:27.110,0:16:31.160
index=main. Okay? So, this string I’ll

0:16:31.160,0:16:33.350
be returning. Since the macro has one

0:16:33.350,0:16:37.069
input, I’ll be giving 1 here. Okay? For now,

0:16:37.069,0:16:39.230
validation. We are not doing anything,

0:16:39.230,0:16:44.389
so let’s save it. Okay? This is our third

0:16:44.389,0:16:48.769
macro--getjournal_or_main. So, if I

0:16:48.769,0:16:53.750
run this macro now--okay--as I said, it

0:16:53.750,0:16:56.149
has a generating command, that’s why I’m

0:16:56.149,0:16:59.959
giving a bar over here, then my tick, and

0:16:59.959,0:17:03.680
then my input. Let’s say I’ll be giving

0:17:03.680,0:17:09.530
input as getjournal. I

0:17:09.530,0:17:13.290
want to work with the dataset getjournal. Okay?

0:17:13.290,0:17:21.220
Let’s see. Okay. I have a

0:17:21.220,0:17:28.370
bracket that’s missing over here. Save.

0:17:28.370,0:17:30.020
If you see, if I run this macro again, it

0:17:30.020,0:17:31.640
is giving me the same because sometimes it

0:17:31.640,0:17:34.520
doesn’t take the refreshed value.

0:17:34.520,0:17:36.620
So, what I’ll do in this case--just copy

0:17:36.620,0:17:41.690
this code, close it, run it again.

0:17:41.690,0:17:43.770
SearchFactory Unknown search command

0:17:43.770,0:17:55.850
'case'. Let’s see what’s going on. Okay. It

0:17:55.850,0:17:58.280
has to be an eval-based macro because it is

0:17:58.280,0:18:01.190
returning a string now. Right? So, let’s

0:18:01.190,0:18:10.760
save it, and let’s rerun it. Okay. It is not-- Okay. Now, if you

0:18:10.760,0:18:13.910
see, if I run this getjournal macro,

0:18:13.910,0:18:15.410
it is giving me this dataset where it

0:18:15.410,0:18:17.230
is running that getjournal *

0:18:17.230,0:18:19.130
generating command and giving me this

0:18:19.130,0:18:23.510
result. If I say main, in this case, it is

0:18:23.510,0:18:26.090
giving me this dataset where I have

0:18:26.090,0:18:29.750
indexed my data. So, this is how you can

0:18:29.750,0:18:33.020
create an eval-based macro. Okay? So now,

0:18:33.020,0:18:36.770
macros have different permissions as

0:18:36.770,0:18:39.590
well. If you see from this macro

0:18:39.590,0:18:44.090
list page, you can set the

0:18:44.090,0:18:46.430
permissions as well. So currently, I'll

0:18:46.430,0:18:48.050
show you. I'll set this permission as

0:18:48.050,0:18:50.330
"this app only" and read--I'll say

0:18:50.330,0:18:52.940
everyone, and write--let's say, admin. Let's

0:18:52.940,0:18:57.380
do it for all the macro permissions. So,

0:18:57.380,0:18:58.520
you have to be very careful with the

0:18:58.520,0:19:02.480
macro permissions as well. Otherwise, any

0:19:02.480,0:19:04.520
unprivileged user will not be able to

0:19:04.520,0:19:07.100
run this macro, and your dashboard will

0:19:07.100,0:19:11.890
not show up anything. So, read--right. Okay.

0:19:11.890,0:19:14.330
Now, we have set the permissions of the

0:19:14.330,0:19:17.120
macro as well. Now, let's see what's going

0:19:17.120,0:19:19.490
on in the background. So, I am in my

0:19:19.490,0:19:24.990
Splunk home. I'll go to etc/apps/tmdb_app/,

0:19:24.990,0:19:26.990
and I'll go to my local folder. If

0:19:26.990,0:19:28.970
you see, whenever you create a macro,

0:19:28.970,0:19:31.220
it creates another conf file called

0:19:31.220,0:19:34.100
macros.conf. I'll open this file. And

0:19:34.100,0:19:37.190
if you see all the different macros we have

0:19:37.190,0:19:39.080
created, it creates separate

0:19:39.080,0:19:43.040
stanzas for each macro name with all

0:19:43.040,0:19:45.920
the input numbers. Right? And args are the

0:19:45.920,0:19:49.070
inputs of these macros. Right? For bonus, if

0:19:49.070,0:19:52.820
you see here, my arguments are

0:19:52.820,0:19:55.520
VP and bonus. Right? Two arguments--those are

0:19:55.520,0:19:56.840
showing up here. This is

0:19:56.840,0:19:59.240
the macro definition. This is the error

0:19:59.240,0:20:02.029
message you set for this macro. This

0:20:02.029,0:20:03.320
is the validation you have set for

0:20:03.320,0:20:06.470
this macro. And iseval is telling

0:20:06.470,0:20:08.480
you whether this macro is eval-based or

0:20:08.480,0:20:11.519
not. As our last macro, getjournal_or_main,

0:20:11.519,0:20:13.789
is eval-based, that's why iseval is

0:20:13.789,0:20:16.130
1. For the rest of the two macros, iseval

0:20:16.130,0:20:21.080
is 0. Okay? Now, you can call a

0:20:21.080,0:20:23.779
macro inside another macro. So, to

0:20:23.779,0:20:26.690
do that, let's do this exercise where we

0:20:26.690,0:20:28.490
have created this totalsalary, right?

0:20:28.490,0:20:29.929
And also bonus.

0:20:29.929,0:20:31.940
So, inside totalsalary, we'll try to

0:20:31.940,0:20:35.059
call this bonus one. To do that, I'll

0:20:35.059,0:20:38.819
do one thing. I'll clone this totalsalary macro.

0:20:38.819,0:20:40.309
No--let's just

0:20:40.309,0:20:51.348
get a new one only. Let's say, totalsalary_v2 (version two).

0:20:51.348,0:20:53.870
Okay? So, what I will do--it will

0:20:53.870,0:20:57.200
not be an eval-based macro. Let's say my

0:20:57.200,0:21:01.850
previous one was eval, right? So,

0:21:01.850,0:21:06.200
it has two arguments: basic_salary and

0:21:06.200,0:21:11.149
variable_percent. Right? Now, I'll be

0:21:11.149,0:21:14.419
adding this bonus as well. So, bonus

0:21:14.419,0:21:16.279
requires another extra input called

0:21:16.279,0:21:19.460
bonus, right? So, I'll be adding this as

0:21:19.460,0:21:23.179
an extra input--comma, this. So, my total

0:21:23.179,0:21:27.020
macro inputs will be three. basic_salary

0:21:27.020,0:21:29.750
and variable_percent will be used

0:21:29.750,0:21:33.020
here, and variable_percent and bonus will be

0:21:33.020,0:21:35.659
used in another eval statement,

0:21:35.659,0:21:37.730
which you'll be calling in this

0:21:37.730,0:21:40.760
bonus macro. Right? So, in this case, I'll

0:21:40.760,0:21:44.360
be calling this bonus macro inside. So,

0:21:44.360,0:21:48.830
I'll set this one—pipe, then my bonus

0:21:48.830,0:21:51.549
macro. bonus macro takes two arguments.

0:21:51.549,0:21:54.830
One is variable_percent, and another is

0:21:54.830,0:21:59.659
bonus. So, variable_percent I'll pass, and

0:21:59.659,0:22:04.370
I'll pass this bonus as well. So, ideally,

0:22:04.370,0:22:06.740
the behavior should be the same as we have

0:22:06.740,0:22:10.530
seen before. Right? So,

0:22:10.530,0:22:18.750
done. Tick. Okay. Now, let's save it. Okay.

0:22:18.750,0:22:21.690
So, totalsalary_v2. So, before we do

0:22:21.690,0:22:27.030
that, let us run our macro. So, I'll

0:22:27.030,0:22:31.669
just copy-paste that code portion here.

0:22:31.669,0:22:35.850
Right. So, I'll just copy-paste this code

0:22:35.850,0:22:37.880
portion here.

0:22:37.880,0:22:41.190
It's mac_totalsalary_non--okay, I

0:22:41.190,0:22:46.384
think my macro is totalsalary. It

0:22:54.260,0:23:00.000
It has mismatched parenthesis. Okay. Okay. So,

0:23:00.000,0:23:03.000
it has created this one. In this new

0:23:03.000,0:23:06.330
field, in the new search field, what I'll

0:23:06.330,0:23:09.510
do is--after this one--

0:23:09.510,0:23:14.460
I'll be calling my totalsalary_v2 macro.

0:23:14.460,0:23:16.020
Okay? Where it is doing

0:23:16.020,0:23:18.480
the work of both of these two--bonus and

0:23:18.480,0:23:22.150
totalsalary. Right? So, totalsalary_v2.

0:23:22.150,0:23:27.720
Okay. So, my tick--v2. v2

0:23:27.720,0:23:29.580
requires three arguments. One

0:23:29.580,0:23:32.220
is my basic_salary, variable_percent, and

0:23:32.220,0:23:35.039
the similar percent value--I'll give 8

0:23:35.039,0:23:36.929
so that we can at least compare

0:23:36.929,0:23:41.340
the outputs. So, if I run this one--see--

0:23:41.340,0:23:42.720
it is working in the same way,

0:23:42.720,0:23:45.150
where it is getting this bonus field and

0:23:45.150,0:23:46.860
totalsalary. And if you see, the output

0:23:46.860,0:23:49.549
is same as well.

0:23:49.549,0:23:53.700
$15.22. We have given 7 here. Okay.

0:23:53.700,0:23:57.600
Let's run it with 7 only. So,

0:23:57.600,0:24:01.770
if you see--15.22, 20.22, 17.10, 17 like this.

0:24:01.770,0:24:05.610
Okay? So, this is how you can call a macro

0:24:05.610,0:24:08.370
inside another macro as well. So, if you

0:24:08.370,0:24:11.940
see here, by this structure, you

0:24:11.940,0:24:14.850
can achieve a very complex structure as

0:24:14.850,0:24:18.179
well--a complex structure which

0:24:18.179,0:24:20.250
is basically a reusable component in

0:24:20.250,0:24:24.210
Splunk search queries. Okay? So, this is what

0:24:24.210,0:24:26.520
you need to know, basically, to deal with

0:24:26.520,0:24:29.790
macros. And macros are very useful in

0:24:29.790,0:24:32.760
Splunk because not only do they give

0:24:32.760,0:24:36.240
you the modularity approach, but also

0:24:36.240,0:24:38.820
they give you a very short

0:24:38.820,0:24:41.630
search string and very readable code as well.

0:24:41.630,0:24:43.700
Okay? See you in the next video.