1
00:00:00,030 --> 00:00:02,939
Okay. Today, we'll discuss Splunk

2
00:00:02,939 --> 00:00:06,240
macros. Okay. So, Splunk macros--you can

3
00:00:06,240 --> 00:00:09,090
think of them as reusable components in

4
00:00:09,090 --> 00:00:12,960
your Splunk search where, suppose a

5
00:00:12,960 --> 00:00:15,870
particular search portion is

6
00:00:15,870 --> 00:00:18,930
if you used many times, then you

7
00:00:18,930 --> 00:00:20,460
can put it in a macro so that you can

8
00:00:20,460 --> 00:00:23,580
call that macro, and the macro will be

9
00:00:23,580 --> 00:00:26,310
replaced at runtime with that search string.

10
00:00:26,310 --> 00:00:28,920
Okay? So, macros are very, very useful when,

11
00:00:28,920 --> 00:00:31,890
suppose you have many dashboards in your

12
00:00:31,890 --> 00:00:34,590
application. And in all these dashboards, you

13
00:00:34,590 --> 00:00:38,670
have some search which is running in all

14
00:00:38,670 --> 00:00:41,610
the dashboards. Right? So, in this case, you

15
00:00:41,610 --> 00:00:43,410
can implement that search portion in a

16
00:00:43,410 --> 00:00:45,680
macro so that you can just call that macro

17
00:00:45,680 --> 00:00:47,850
instead of using the whole search string in

18
00:00:47,850 --> 00:00:50,370
your dashboards. So, in the future, if you

19
00:00:50,370 --> 00:00:52,440
want to make any changes in that search

20
00:00:52,440 --> 00:00:55,140
logic, we'll just change it in

21
00:00:55,140 --> 00:00:58,530
one place--in that macro body. Okay?

22
00:00:58,530 --> 00:01:01,350
So, by implementing a macro, basically, we

23
00:01:01,350 --> 00:01:04,170
are achieving two things. One is the

24
00:01:04,170 --> 00:01:06,930
modularity of your code--easy

25
00:01:06,930 --> 00:01:09,630
maintenance of your code--as well as

26
00:01:09,630 --> 00:01:11,250
your search string will be much

27
00:01:11,250 --> 00:01:15,720
smaller. Okay? So, there are

28
00:01:15,720 --> 00:01:18,689
two different types of macros we

29
00:01:18,689 --> 00:01:20,580
generally deal with. One is an eval-based

30
00:01:20,580 --> 00:01:23,189
macro, and another is a non-eval-based

31
00:01:23,189 --> 00:01:26,400
macro. So, before we discuss those things,

32
00:01:26,400 --> 00:01:29,790
let me show you the data I have here.

33
00:01:29,790 --> 00:01:32,909
So, I have some people's names, their

34
00:01:32,909 --> 00:01:36,270
basic salary, and variable percent. So,

35
00:01:36,270 --> 00:01:40,670
I'll show you how to create an eval-based macro,

36
00:01:40,670 --> 00:01:42,420
how to create a non-eval-based

37
00:01:42,420 --> 00:01:43,710
macro, what the differences are

38
00:01:43,710 --> 00:01:47,939
between them, and then how to call a

39
00:01:47,939 --> 00:01:49,860
macro instead of the macro also. We'll try to

40
00:01:49,860 --> 00:01:52,470
discuss that one. Because first, let us

41
00:01:52,470 --> 00:01:56,759
see how we can create a non-eval macro.

42
00:01:56,759 --> 00:02:00,409
So now, an eval macro and a non-eval macro--

43
00:02:00,409 --> 00:02:03,600
if you see functionality-wise, both are the

44
00:02:03,600 --> 00:02:07,020
same. So, when we define a macro--the macro

45
00:02:07,020 --> 00:02:09,890
body--you are giving the search string. Right? So,

46
00:02:09,890 --> 00:02:12,900
dynamically at runtime, that

47
00:02:12,900 --> 00:02:15,670
macro will be replaced

48
00:02:15,670 --> 00:02:18,160
by that macro body by Splunk search.

49
00:02:18,160 --> 00:02:22,810
Okay? Now, when we talk about eval-based

50
00:02:22,810 --> 00:02:26,500
macros, it is expected that the macro is

51
00:02:26,500 --> 00:02:31,050
returning a string. When you use a non-eval-based macro,

52
00:02:31,050 --> 00:02:32,140
you can directly put the

53
00:02:32,140 --> 00:02:34,210
search string inside the macro. So, let me

54
00:02:34,210 --> 00:02:37,240
show you. Suppose I want to calculate

55
00:02:37,240 --> 00:02:40,000
total salary based on this formula:

56
00:02:40,000 --> 00:02:43,240
called basic salary. Let me show you.

57
00:02:43,240 --> 00:02:50,340
Basic salary plus basic into the

58
00:02:50,340 --> 00:02:54,160
percentage--variable

59
00:02:54,160 --> 00:02:58,390
percent. Okay? So, to do that--to create any

60
00:02:58,390 --> 00:03:01,180
macro from the Splunk UI--this is how you

61
00:03:01,180 --> 00:03:03,850
do it. You'll go to Settings. We go to

62
00:03:03,850 --> 00:03:08,170
Advanced Search. Okay? From there, if you

63
00:03:08,170 --> 00:03:11,560
see, there is an option called Search Macros.

64
00:03:11,560 --> 00:03:13,270
You go there. You select your app

65
00:03:13,270 --> 00:03:15,520
from there. So, I'll be creating this

66
00:03:15,520 --> 00:03:17,800
macro in my TMDB app. So, I have selected

67
00:03:17,800 --> 00:03:20,850
TMDB over here, then New Search Macro.

68
00:03:20,850 --> 00:03:23,709
Okay? If you see the destination, I've

69
00:03:23,709 --> 00:03:26,410
already selected it as TMDB. I'll give it a

70
00:03:26,410 --> 00:03:36,150
name. Let's say, total salary. Okay? So now,

71
00:03:36,150 --> 00:03:39,220
whether a macro is eval-based or not is

72
00:03:39,220 --> 00:03:41,200
determined by this checkbox. If you

73
00:03:41,200 --> 00:03:43,020
check this one, it will be an eval-based

74
00:03:43,020 --> 00:03:45,489
macro. If you don't check this one,

75
00:03:45,489 --> 00:03:48,220
it will be a non-eval-based macro. So

76
00:03:48,220 --> 00:03:50,670
first, we'll discuss the non-eval-based macro.

77
00:03:50,670 --> 00:03:51,730
So, what I am trying to say

78
00:03:51,730 --> 00:03:55,180
is--whenever we

79
00:03:55,180 --> 00:03:57,459
are creating a non-eval-based macro, we

80
00:03:57,459 --> 00:03:59,110
can directly give a search string over

81
00:03:59,110 --> 00:04:01,270
there. So, my search string will be

82
00:04:01,270 --> 00:04:03,160
something like this. I'll be creating a

83
00:04:03,160 --> 00:04:05,890
new field called total salary. So, that's

84
00:04:05,890 --> 00:04:13,510
why eval total_salary =. Now,

85
00:04:13,510 --> 00:04:17,380
I'll be passing this to my basic

86
00:04:17,380 --> 00:04:19,870
salary and variable percent to this

87
00:04:19,870 --> 00:04:22,720
macro. Right? To do that, what I'll do

88
00:04:22,720 --> 00:04:26,080
is create arguments for this macro:

89
00:04:26,080 --> 00:04:28,300
basic salary. So, in the argument

90
00:04:28,300 --> 00:04:32,550
section, you'll be giving

91
00:04:32,550 --> 00:04:35,710
these two things: basic salary and

92
00:04:35,710 --> 00:04:40,360
variable percent. That's two arguments. As the

93
00:04:40,360 --> 00:04:42,789
macro has two arguments, it is mandatory

94
00:04:42,789 --> 00:04:46,780
that in this Name section, you give how

95
00:04:46,780 --> 00:04:48,819
many number of arguments you have in

96
00:04:48,819 --> 00:04:50,830
your macro. If it is one, you have to give

97
00:04:50,830 --> 00:04:55,629
one here. Okay? Now the formula is: my

98
00:04:55,629 --> 00:04:59,139
basic salary. Now, this basic salary is my

99
00:04:59,139 --> 00:05:03,009
input variable. Right? So, to access input

100
00:05:03,009 --> 00:05:04,780
variables, you access like this--just like

101
00:05:04,780 --> 00:05:11,770
a token. Okay? Basic salary plus my basic

102
00:05:11,770 --> 00:05:21,159
salary into that variable percent. Again,

103
00:05:21,159 --> 00:05:26,319
as input, I am accessing. Right? Then

104
00:05:26,319 --> 00:05:29,849
divided by 100. So, this will be my

105
00:05:29,849 --> 00:05:33,759
macro body. Now, there are two options

106
00:05:33,759 --> 00:05:35,229
for Validation Expression and Validation

107
00:05:35,229 --> 00:05:36,580
Error Message. I will show you in the

108
00:05:36,580 --> 00:05:42,400
next macro. So, if I save it--okay.

109
00:05:42,400 --> 00:05:44,909
So, if you see, the macro has been created.

110
00:05:44,909 --> 00:05:49,509
Now, if I call this macro over here--so to

111
00:05:49,509 --> 00:05:51,520
call a macro, this is how you call: there

112
00:05:51,520 --> 00:05:54,400
is a tick mark, if you see, okay, from your

113
00:05:54,400 --> 00:06:01,060
keyboard, then the macro name--total

114
00:06:01,060 --> 00:06:04,690
salary--and it has two arguments, right? My

115
00:06:04,690 --> 00:06:08,699
basic salary and my variable percent,

116
00:06:08,699 --> 00:06:13,150
then tick end. Now, this basic salary

117
00:06:13,150 --> 00:06:15,129
corresponds to this basic salary, and

118
00:06:15,129 --> 00:06:16,719
variable percent corresponds to this

119
00:06:16,719 --> 00:06:18,069
variable percent field.

120
00:06:18,069 --> 00:06:21,279
Now, when you define the macro, I have

121
00:06:21,279 --> 00:06:23,050
given the same name as the macro input. You

122
00:06:23,050 --> 00:06:26,080
can give any input variable name

123
00:06:26,080 --> 00:06:28,000
over here. The same name you have to use

124
00:06:28,000 --> 00:06:30,580
over here as well. But when you pass the

125
00:06:30,580 --> 00:06:33,759
macro--pass this with basic salary and variable

126
00:06:33,759 --> 00:06:35,860
percent to this macro--you'll be giving

127
00:06:35,860 --> 00:06:37,449
the field names only. Okay?

128
00:06:37,449 --> 00:06:40,270
So, let us run it and see what's going on.

129
00:06:40,270 --> 00:06:43,889
If you see, it has created a total salary

130
00:06:43,889 --> 00:06:47,650
field with this formula output--4,000 plus

131
00:06:47,650 --> 00:06:51,819
4,000 into 15% is 4,600. Right? So, it is

132
00:06:51,819 --> 00:06:54,639
basically the same as what is

133
00:06:54,639 --> 00:06:58,120
happening at runtime. So, if

134
00:06:58,120 --> 00:07:00,099
instead of total salary, I just gave

135
00:07:00,099 --> 00:07:04,300
this one, and instead of this token

136
00:07:04,300 --> 00:07:07,960
variable, I just gave my field name here,

137
00:07:07,960 --> 00:07:14,490
the output will be the same--variable percent.

138
00:07:14,490 --> 00:07:18,520
The output will be the same. So, this is also

139
00:07:18,520 --> 00:07:21,490
what is happening as well. So, at runtime,

140
00:07:21,490 --> 00:07:25,060
Splunk is replacing this macro body with

141
00:07:25,060 --> 00:07:28,029
these variable inputs, and then it is

142
00:07:28,029 --> 00:07:29,710
running the query. So ultimately, this

143
00:07:29,710 --> 00:07:32,740
query is getting run. Okay? But the

144
00:07:32,740 --> 00:07:34,960
thing is--this code, if you put it in

145
00:07:34,960 --> 00:07:36,909
a macro--you can call that macro anywhere

146
00:07:36,909 --> 00:07:39,129
in usage. So that means this code

147
00:07:39,129 --> 00:07:42,490
portion will be reusable now. Okay? Now,

148
00:07:42,490 --> 00:07:46,149
let's see an example where we can use

149
00:07:46,149 --> 00:07:47,680
this validation expression and

150
00:07:47,680 --> 00:07:49,270
validation error message. Now,

151
00:07:49,270 --> 00:07:51,699
validation expression is used when you

152
00:07:51,699 --> 00:07:54,819
want to do some kind of validation on

153
00:07:54,819 --> 00:08:00,279
your macro inputs. Okay? And validation

154
00:08:00,279 --> 00:08:02,830
error message means when this input is

155
00:08:02,830 --> 00:08:04,749
getting--or this validation is getting--

156
00:08:04,749 --> 00:08:06,430
failed, this error message will be

157
00:08:06,430 --> 00:08:09,459
displayed over there. So, to do that, what

158
00:08:09,459 --> 00:08:14,639
I'll do is create another macro.

159
00:08:14,639 --> 00:08:20,110
Okay? So now, let's say, we have basic

160
00:08:20,110 --> 00:08:22,569
salary and variable percent. Right? Let's

161
00:08:22,569 --> 00:08:24,789
say we want to calculate a bonus

162
00:08:24,789 --> 00:08:27,669
percentage with this formula: called

163
00:08:27,669 --> 00:08:32,349
variable percent plus any other percent--

164
00:08:32,349 --> 00:08:35,620
any number. Let's say, any number--

165
00:08:35,620 --> 00:08:37,930
7% or 8%, any number

166
00:08:37,930 --> 00:08:40,539
I’ll put for our inputs. It'll give me--it'll

167
00:08:40,539 --> 00:08:43,060
add those two percentage values and

168
00:08:43,060 --> 00:08:45,610
give me the bonus percent. Okay? So, to do

169
00:08:45,610 --> 00:08:48,279
that, I'll just create that similar

170
00:08:48,279 --> 00:08:51,110
macro named "bonus."

171
00:08:52,110 --> 00:08:56,680
Okay? So, the formula will be--again--it

172
00:08:56,680 --> 00:09:09,570
will be non-eval-based. Okay? eval bonus =.

173
00:09:09,570 --> 00:09:13,839
So, my variable percent, right,

174
00:09:13,839 --> 00:09:16,270
I have to provide as an input, so I'll be

175
00:09:16,270 --> 00:09:18,790
giving input. So, let's say this time I

176
00:09:18,790 --> 00:09:21,610
will rename this to something--VP. So,

177
00:09:21,610 --> 00:09:27,810
I'll say $VP$, then plus

178
00:09:27,810 --> 00:09:30,580
another input I'll be giving--let's say,

179
00:09:30,580 --> 00:09:36,540
bonus input. Okay? So, this bonus, I'll be

180
00:09:36,540 --> 00:09:42,190
adding here. Okay. Bonus. So, we have two

181
00:09:42,190 --> 00:09:44,080
inputs. That means we have to give two

182
00:09:44,080 --> 00:09:47,440
over here. Now I'll add an expression. Now,

183
00:09:47,440 --> 00:09:50,260
I always want this bonus to be a number.

184
00:09:50,260 --> 00:09:53,589
Okay? To do that--so, this validation

185
00:09:53,589 --> 00:09:55,690
expression has to be a Boolean

186
00:09:55,690 --> 00:09:59,079
expression or eval. Okay? So, if you saw my

187
00:09:59,079 --> 00:10:01,209
previous video, we discussed the

188
00:10:01,209 --> 00:10:04,390
various eval expressions. Right? And some

189
00:10:04,390 --> 00:10:06,160
of the expressions return Boolean--like

190
00:10:06,160 --> 00:10:08,800
the like operator, in operator, or

191
00:10:08,800 --> 00:10:11,770
isnum operator, which basically checks

192
00:10:11,770 --> 00:10:15,220
whether a particular input is a number or

193
00:10:15,220 --> 00:10:17,230
not. So, we'll be using isnum over

194
00:10:17,230 --> 00:10:20,529
here on this bonus. That means I am

195
00:10:20,529 --> 00:10:23,290
checking whether whatever I am providing

196
00:10:23,290 --> 00:10:25,380
as input to this bonus variable

197
00:10:25,380 --> 00:10:28,630
parameter is a number or not. If

198
00:10:28,630 --> 00:10:32,350
it is not a number, I'll give this

199
00:10:32,350 --> 00:10:36,670
output error message: "Bonus must

200
00:10:36,670 --> 00:10:41,490
be a number." Okay?

201
00:10:41,490 --> 00:10:50,110
So, let's save this macro. Okay? Now I will

202
00:10:50,110 --> 00:10:56,950
call this macro here. Let it be--my total

203
00:10:56,950 --> 00:11:01,779
salary macro called as--is. If I just do

204
00:11:01,779 --> 00:11:03,530
Ctrl+C--

205
00:11:03,530 --> 00:11:06,530
okay. Here, I am calling my total salary. So

206
00:11:06,530 --> 00:11:08,930
just tick the output. Now, after that, I'll

207
00:11:08,930 --> 00:11:14,930
be calling the bonus macro. Right? So,

208
00:11:14,930 --> 00:11:17,960
similar way: tick, macro name, macro

209
00:11:17,960 --> 00:11:19,760
inputs. One of the inputs will be my

210
00:11:19,760 --> 00:11:22,820
variable percent, and another

211
00:11:22,820 --> 00:11:25,790
input maybe--let's say, 8% I want

212
00:11:25,790 --> 00:11:28,400
to add to the variable percent. So, what

213
00:11:28,400 --> 00:11:30,770
will be the output? In this case, it should

214
00:11:30,770 --> 00:11:33,560
create a new field called "bonus" with 15

215
00:11:33,560 --> 00:11:35,780
plus 8, 20 plus 8—something like this.

216
00:11:35,780 --> 00:11:39,400
Okay? If you see, you can

217
00:11:39,400 --> 00:11:41,870
access different macros in

218
00:11:41,870 --> 00:11:48,140
your whole search. Okay? Now, let's say I

219
00:11:48,140 --> 00:11:52,570
have provided a string here--it says test.

220
00:11:52,570 --> 00:11:55,280
Okay. What is happening? So, if you provide

221
00:11:55,280 --> 00:11:57,770
a string here, that validation is

222
00:11:57,770 --> 00:11:59,660
getting failed. We have added over here

223
00:11:59,660 --> 00:12:02,450
isnum. So, that's why it is giving you this

224
00:12:02,450 --> 00:12:05,510
error: "Bonus must be a number." So, this is

225
00:12:05,510 --> 00:12:10,250
how macro input validation works. Okay. Let

226
00:12:10,250 --> 00:12:15,280
us continue. Now, we will discuss

227
00:12:15,280 --> 00:12:18,830
how to create an eval macro. So, to do

228
00:12:18,830 --> 00:12:22,520
that, what we'll do is--first, let me show

229
00:12:22,520 --> 00:12:24,920
you two things. If you remember from my

230
00:12:24,920 --> 00:12:28,220
previous video, we created a command

231
00:12:28,220 --> 00:12:31,940
called getjournals. Right? And that

232
00:12:31,940 --> 00:12:33,800
command takes an input with the journal

233
00:12:33,800 --> 00:12:36,410
ID. And if we are not giving any journal

234
00:12:36,410 --> 00:12:38,780
ID and we are giving *, it will give you all

235
00:12:38,780 --> 00:12:41,780
the journal details. Right? And also, we

236
00:12:41,780 --> 00:12:47,630
have... We have created a...

237
00:12:47,630 --> 00:12:50,750
We have indexed our data into this main index.

238
00:12:50,750 --> 00:12:52,130
Right? So, we have another dataset

239
00:12:52,130 --> 00:12:54,200
called "main" where we are having

240
00:12:54,200 --> 00:12:56,270
this salary and this information. Just

241
00:12:56,270 --> 00:12:58,520
now we are working with this dataset. So,

242
00:12:58,520 --> 00:13:01,000
suppose there is a requirement that,

243
00:13:01,000 --> 00:13:04,730
based on a certain condition, either I need

244
00:13:04,730 --> 00:13:09,110
to go with this dataset or I need to go

245
00:13:09,110 --> 00:13:11,330
with that dataset. In this type of

246
00:13:11,330 --> 00:13:13,730
scenario--where dynamically you have to

247
00:13:13,730 --> 00:13:15,980
determine which dataset to work on, or

248
00:13:15,980 --> 00:13:17,329
dynamically determine

249
00:13:17,329 --> 00:13:22,549
which search string to return--

250
00:13:22,549 --> 00:13:25,100
eval macros

251
00:13:25,100 --> 00:13:28,489
come into the picture. Okay? Because the

252
00:13:28,489 --> 00:13:31,129
main concept behind an eval macro is it has

253
00:13:31,129 --> 00:13:34,279
to return a string. So, in that case, how

254
00:13:34,279 --> 00:13:36,410
you will create it is like this. Let's say,

255
00:13:36,410 --> 00:13:39,529
new search macro. I'll give a name called

256
00:13:39,529 --> 00:13:46,579
getjournal_or_mainindex. Okay? Just

257
00:13:46,579 --> 00:13:48,679
like a name to show you the use

258
00:13:48,679 --> 00:13:51,980
case of it. So, here, what I will write--

259
00:13:51,980 --> 00:13:53,899
I’ll write an if or case statement. Generally,

260
00:13:53,899 --> 00:13:55,489
we mostly write an if or case

261
00:13:55,489 --> 00:13:59,329
statement for eval-based macros,

262
00:13:59,329 --> 00:14:02,089
so that we can have different

263
00:14:02,089 --> 00:14:03,470
conditions, and based on the condition, we

264
00:14:03,470 --> 00:14:05,239
return the search string. But

265
00:14:05,239 --> 00:14:07,220
ultimately, if you see, we’re returning the

266
00:14:07,220 --> 00:14:09,019
search string only at the end of the day--

267
00:14:09,019 --> 00:14:11,029
so that Splunk will replace that macro

268
00:14:11,029 --> 00:14:13,399
with that search string. So, I’m saying I’ll

269
00:14:13,399 --> 00:14:17,649
provide the argument here. Let’s say,

270
00:14:17,649 --> 00:14:21,170
same argument name. So,

271
00:14:21,170 --> 00:14:23,360
either I’ll provide getjournal, or I’ll

272
00:14:23,360 --> 00:14:25,879
provide main as my argument

273
00:14:25,879 --> 00:14:27,980
value. Okay? I’ll show you how I

274
00:14:27,980 --> 00:14:29,289
provide that one.

275
00:14:29,289 --> 00:14:42,340
case($input$ == "getjournal", "getjournals *", $input$ == "main", "search index=main")

276
00:14:42,340 --> 00:14:46,639
As it is within quotes, remember that this one

277
00:14:46,639 --> 00:14:49,699
has to be in quotes as well. Or, when you are

278
00:14:49,699 --> 00:14:51,559
calling it, you have to call with

279
00:14:51,559 --> 00:14:53,839
quotes. I prefer it like this only so

280
00:14:53,839 --> 00:14:55,610
that everything is inside your

281
00:14:55,610 --> 00:14:58,699
macro. In that case, the string I

282
00:14:58,699 --> 00:15:04,999
will return is this command: getjournals *.

283
00:15:04,999 --> 00:15:07,129
Now, you have to be very careful over

284
00:15:07,129 --> 00:15:10,459
here when you deal with a generating

285
00:15:10,459 --> 00:15:11,869
command. If you see, getjournals is a

286
00:15:11,869 --> 00:15:13,610
generating command. Right? That’s why this

287
00:15:13,610 --> 00:15:15,019
has to be the first command in your

288
00:15:15,019 --> 00:15:19,869
search string. Now, for generating commands,

289
00:15:19,869 --> 00:15:22,549
when you run it--if you see--there is a

290
00:15:22,549 --> 00:15:25,220
bar (|) over here in the search bar. Right? After

291
00:15:25,220 --> 00:15:27,049
that only, if I run this command without

292
00:15:27,049 --> 00:15:29,810
this bar, nothing will come up. So,

293
00:15:29,810 --> 00:15:32,149
it requires this bar. But when you put

294
00:15:32,149 --> 00:15:35,480
this getjournals *--this generating

295
00:15:35,480 --> 00:15:38,959
command--inside a macro, you put it

296
00:15:38,959 --> 00:15:41,089
without the bar, so that when you call

297
00:15:41,089 --> 00:15:43,939
the macro, you’ll call with | then

298
00:15:43,939 --> 00:15:45,319
macro name. I’ll show you that one as

299
00:15:45,319 --> 00:15:47,660
well. That’s why I’m giving it without

300
00:15:47,660 --> 00:15:50,540
the bar here. This is important--you have to be very

301
00:15:50,540 --> 00:15:53,110
careful with generating commands.

302
00:15:53,110 --> 00:15:55,309
Because if you put the bar inside, it will

303
00:15:55,309 --> 00:16:01,069
not work. Now, when my input is "main"--okay--in

304
00:16:01,069 --> 00:16:04,579
that case, I will return the string

305
00:16:04,579 --> 00:16:10,309
called search index=main. Here

306
00:16:10,309 --> 00:16:12,620
also, another good thing is when you run

307
00:16:12,620 --> 00:16:14,540
index=main from your search

308
00:16:14,540 --> 00:16:16,670
prompt, you do not need to mention

309
00:16:16,670 --> 00:16:18,680
search then index=main,

310
00:16:18,680 --> 00:16:21,829
because that comes by default. But

311
00:16:21,829 --> 00:16:23,899
when you use it in a macro or somewhere

312
00:16:23,899 --> 00:16:24,230
else,

313
00:16:24,230 --> 00:16:27,110
you have to put it like this: search

314
00:16:27,110 --> 00:16:31,160
index=main. Okay? So, this string I’ll

315
00:16:31,160 --> 00:16:33,350
be returning. Since the macro has one

316
00:16:33,350 --> 00:16:37,069
input, I’ll be giving 1 here. Okay? For now,

317
00:16:37,069 --> 00:16:39,230
validation. We are not doing anything,

318
00:16:39,230 --> 00:16:44,389
so let’s save it. Okay? This is our third

319
00:16:44,389 --> 00:16:48,769
macro--getjournal_or_main. So, if I

320
00:16:48,769 --> 00:16:53,750
run this macro now--okay--as I said, it

321
00:16:53,750 --> 00:16:56,149
has a generating command, that’s why I’m

322
00:16:56,149 --> 00:16:59,959
giving a bar over here, then my tick, and

323
00:16:59,959 --> 00:17:03,680
then my input. Let’s say I’ll be giving

324
00:17:03,680 --> 00:17:09,530
input as getjournal. I

325
00:17:09,530 --> 00:17:13,290
want to work with the dataset getjournal. Okay?

326
00:17:13,290 --> 00:17:21,220
Let’s see. Okay. I have a

327
00:17:21,220 --> 00:17:28,370
bracket that’s missing over here. Save.

328
00:17:28,370 --> 00:17:30,020
If you see, if I run this macro again, it

329
00:17:30,020 --> 00:17:31,640
is giving me the same because sometimes it

330
00:17:31,640 --> 00:17:34,520
doesn’t take the refreshed value.

331
00:17:34,520 --> 00:17:36,620
So, what I’ll do in this case--just copy

332
00:17:36,620 --> 00:17:41,690
this code, close it, run it again.

333
00:17:41,690 --> 00:17:43,770
SearchFactory Unknown search command

334
00:17:43,770 --> 00:17:55,850
'case'. Let’s see what’s going on. Okay. It

335
00:17:55,850 --> 00:17:58,280
has to be an eval-based macro because it is

336
00:17:58,280 --> 00:18:01,190
returning a string now. Right? So, let’s

337
00:18:01,190 --> 00:18:10,760
save it, and let’s rerun it. Okay. It is not-- Okay. Now, if you

338
00:18:10,760 --> 00:18:13,910
see, if I run this getjournal macro,

339
00:18:13,910 --> 00:18:15,410
it is giving me this dataset where it

340
00:18:15,410 --> 00:18:17,230
is running that getjournal *

341
00:18:17,230 --> 00:18:19,130
generating command and giving me this

342
00:18:19,130 --> 00:18:23,510
result. If I say main, in this case, it is

343
00:18:23,510 --> 00:18:26,090
giving me this dataset where I have

344
00:18:26,090 --> 00:18:29,750
indexed my data. So, this is how you can

345
00:18:29,750 --> 00:18:33,020
create an eval-based macro. Okay? So now,

346
00:18:33,020 --> 00:18:36,770
macros have different permissions as

347
00:18:36,770 --> 00:18:39,590
well. If you see from this macro

348
00:18:39,590 --> 00:18:44,090
list page, you can set the

349
00:18:44,090 --> 00:18:46,430
permissions as well. So currently, I'll

350
00:18:46,430 --> 00:18:48,050
show you. I'll set this permission as

351
00:18:48,050 --> 00:18:50,330
"this app only" and read--I'll say

352
00:18:50,330 --> 00:18:52,940
everyone, and write--let's say, admin. Let's

353
00:18:52,940 --> 00:18:57,380
do it for all the macro permissions. So,

354
00:18:57,380 --> 00:18:58,520
you have to be very careful with the

355
00:18:58,520 --> 00:19:02,480
macro permissions as well. Otherwise, any

356
00:19:02,480 --> 00:19:04,520
unprivileged user will not be able to

357
00:19:04,520 --> 00:19:07,100
run this macro, and your dashboard will

358
00:19:07,100 --> 00:19:11,890
not show up anything. So, read--right. Okay.

359
00:19:11,890 --> 00:19:14,330
Now, we have set the permissions of the

360
00:19:14,330 --> 00:19:17,120
macro as well. Now, let's see what's going

361
00:19:17,120 --> 00:19:19,490
on in the background. So, I am in my

362
00:19:19,490 --> 00:19:24,990
Splunk home. I'll go to etc/apps/tmdb_app/,

363
00:19:24,990 --> 00:19:26,990
and I'll go to my local folder. If

364
00:19:26,990 --> 00:19:28,970
you see, whenever you create a macro,

365
00:19:28,970 --> 00:19:31,220
it creates another conf file called

366
00:19:31,220 --> 00:19:34,100
macros.conf. I'll open this file. And

367
00:19:34,100 --> 00:19:37,190
if you see all the different macros we have

368
00:19:37,190 --> 00:19:39,080
created, it creates separate

369
00:19:39,080 --> 00:19:43,040
stanzas for each macro name with all

370
00:19:43,040 --> 00:19:45,920
the input numbers. Right? And args are the

371
00:19:45,920 --> 00:19:49,070
inputs of these macros. Right? For bonus, if

372
00:19:49,070 --> 00:19:52,820
you see here, my arguments are

373
00:19:52,820 --> 00:19:55,520
VP and bonus. Right? Two arguments--those are

374
00:19:55,520 --> 00:19:56,840
showing up here. This is

375
00:19:56,840 --> 00:19:59,240
the macro definition. This is the error

376
00:19:59,240 --> 00:20:02,029
message you set for this macro. This

377
00:20:02,029 --> 00:20:03,320
is the validation you have set for

378
00:20:03,320 --> 00:20:06,470
this macro. And iseval is telling

379
00:20:06,470 --> 00:20:08,480
you whether this macro is eval-based or

380
00:20:08,480 --> 00:20:11,519
not. As our last macro, getjournal_or_main,

381
00:20:11,519 --> 00:20:13,789
is eval-based, that's why iseval is

382
00:20:13,789 --> 00:20:16,130
1. For the rest of the two macros, iseval

383
00:20:16,130 --> 00:20:21,080
is 0. Okay? Now, you can call a

384
00:20:21,080 --> 00:20:23,779
macro inside another macro. So, to

385
00:20:23,779 --> 00:20:26,690
do that, let's do this exercise where we

386
00:20:26,690 --> 00:20:28,490
have created this totalsalary, right?

387
00:20:28,490 --> 00:20:29,929
And also bonus.

388
00:20:29,929 --> 00:20:31,940
So, inside totalsalary, we'll try to

389
00:20:31,940 --> 00:20:35,059
call this bonus one. To do that, I'll

390
00:20:35,059 --> 00:20:38,819
do one thing. I'll clone this totalsalary macro.

391
00:20:38,819 --> 00:20:40,309
No--let's just

392
00:20:40,309 --> 00:20:51,348
get a new one only. Let's say, totalsalary_v2 (version two).

393
00:20:51,348 --> 00:20:53,870
Okay? So, what I will do--it will

394
00:20:53,870 --> 00:20:57,200
not be an eval-based macro. Let's say my

395
00:20:57,200 --> 00:21:01,850
previous one was eval, right? So,

396
00:21:01,850 --> 00:21:06,200
it has two arguments: basic_salary and

397
00:21:06,200 --> 00:21:11,149
variable_percent. Right? Now, I'll be

398
00:21:11,149 --> 00:21:14,419
adding this bonus as well. So, bonus

399
00:21:14,419 --> 00:21:16,279
requires another extra input called

400
00:21:16,279 --> 00:21:19,460
bonus, right? So, I'll be adding this as

401
00:21:19,460 --> 00:21:23,179
an extra input--comma, this. So, my total

402
00:21:23,179 --> 00:21:27,020
macro inputs will be three. basic_salary

403
00:21:27,020 --> 00:21:29,750
and variable_percent will be used

404
00:21:29,750 --> 00:21:33,020
here, and variable_percent and bonus will be

405
00:21:33,020 --> 00:21:35,659
used in another eval statement,

406
00:21:35,659 --> 00:21:37,730
which you'll be calling in this

407
00:21:37,730 --> 00:21:40,760
bonus macro. Right? So, in this case, I'll

408
00:21:40,760 --> 00:21:44,360
be calling this bonus macro inside. So,

409
00:21:44,360 --> 00:21:48,830
I'll set this one—pipe, then my bonus

410
00:21:48,830 --> 00:21:51,549
macro. bonus macro takes two arguments.

411
00:21:51,549 --> 00:21:54,830
One is variable_percent, and another is

412
00:21:54,830 --> 00:21:59,659
bonus. So, variable_percent I'll pass, and

413
00:21:59,659 --> 00:22:04,370
I'll pass this bonus as well. So, ideally,

414
00:22:04,370 --> 00:22:06,740
the behavior should be the same as we have

415
00:22:06,740 --> 00:22:10,530
seen before. Right? So,

416
00:22:10,530 --> 00:22:18,750
done. Tick. Okay. Now, let's save it. Okay.

417
00:22:18,750 --> 00:22:21,690
So, totalsalary_v2. So, before we do

418
00:22:21,690 --> 00:22:27,030
that, let us run our macro. So, I'll

419
00:22:27,030 --> 00:22:31,669
just copy-paste that code portion here.

420
00:22:31,669 --> 00:22:35,850
Right. So, I'll just copy-paste this code

421
00:22:35,850 --> 00:22:37,880
portion here.

422
00:22:37,880 --> 00:22:41,190
It's mac_totalsalary_non--okay, I

423
00:22:41,190 --> 00:22:46,384
think my macro is totalsalary. It

424
00:22:54,260 --> 00:23:00,000
It has mismatched parenthesis. Okay. Okay. So,

425
00:23:00,000 --> 00:23:03,000
it has created this one. In this new

426
00:23:03,000 --> 00:23:06,330
field, in the new search field, what I'll

427
00:23:06,330 --> 00:23:09,510
do is--after this one--

428
00:23:09,510 --> 00:23:14,460
I'll be calling my totalsalary_v2 macro.

429
00:23:14,460 --> 00:23:16,020
Okay? Where it is doing

430
00:23:16,020 --> 00:23:18,480
the work of both of these two--bonus and

431
00:23:18,480 --> 00:23:22,150
totalsalary. Right? So, totalsalary_v2.

432
00:23:22,150 --> 00:23:27,720
Okay. So, my tick--v2. v2

433
00:23:27,720 --> 00:23:29,580
requires three arguments. One

434
00:23:29,580 --> 00:23:32,220
is my basic_salary, variable_percent, and

435
00:23:32,220 --> 00:23:35,039
the similar percent value--I'll give 8

436
00:23:35,039 --> 00:23:36,929
so that we can at least compare

437
00:23:36,929 --> 00:23:41,340
the outputs. So, if I run this one--see--

438
00:23:41,340 --> 00:23:42,720
it is working in the same way,

439
00:23:42,720 --> 00:23:45,150
where it is getting this bonus field and

440
00:23:45,150 --> 00:23:46,860
totalsalary. And if you see, the output

441
00:23:46,860 --> 00:23:49,549
is same as well.

442
00:23:49,549 --> 00:23:53,700
$15.22. We have given 7 here. Okay.

443
00:23:53,700 --> 00:23:57,600
Let's run it with 7 only. So,

444
00:23:57,600 --> 00:24:01,770
if you see--15.22, 20.22, 17.10, 17 like this.

445
00:24:01,770 --> 00:24:05,610
Okay? So, this is how you can call a macro

446
00:24:05,610 --> 00:24:08,370
inside another macro as well. So, if you

447
00:24:08,370 --> 00:24:11,940
see here, by this structure, you

448
00:24:11,940 --> 00:24:14,850
can achieve a very complex structure as

449
00:24:14,850 --> 00:24:18,179
well--a complex structure which

450
00:24:18,179 --> 00:24:20,250
is basically a reusable component in

451
00:24:20,250 --> 00:24:24,210
Splunk search queries. Okay? So, this is what

452
00:24:24,210 --> 00:24:26,520
you need to know, basically, to deal with

453
00:24:26,520 --> 00:24:29,790
macros. And macros are very useful in

454
00:24:29,790 --> 00:24:32,760
Splunk because not only do they give

455
00:24:32,760 --> 00:24:36,240
you the modularity approach, but also

456
00:24:36,240 --> 00:24:38,820
they give you a very short

457
00:24:38,820 --> 00:24:41,630
search string and very readable code as well.

458
00:24:41,630 --> 00:24:43,700
Okay? See you in the next video.