Okay. Today, we'll discuss Splunk macros. Okay. So, Splunk macros--you can think of them as reusable components in your Splunk search where, suppose a particular search portion is if you used many times, then you can put it in a macro so that you can call that macro, and the macro will be replaced at runtime with that search string. Okay? So, macros are very, very useful when, suppose you have many dashboards in your application. And in all these dashboards, you have some search which is running in all the dashboards. Right? So, in this case, you can implement that search portion in a macro so that you can just call that macro instead of using the whole search string in your dashboards. So, in the future, if you want to make any changes in that search logic, we'll just change it in one place--in that macro body. Okay? So, by implementing a macro, basically, we are achieving two things. One is the modularity of your code--easy maintenance of your code--as well as your search string will be much smaller. Okay? So, there are two different types of macros we generally deal with. One is an eval-based macro, and another is a non-eval-based macro. So, before we discuss those things, let me show you the data I have here. So, I have some people's names, their basic salary, and variable percent. So, I'll show you how to create an eval-based macro, how to create a non-eval-based macro, what the differences are between them, and then how to call a macro instead of the macro also. We'll try to discuss that one. Because first, let us see how we can create a non-eval macro. So now, an eval macro and a non-eval macro-- if you see functionality-wise, both are the same. So, when we define a macro--the macro body--you are giving the search string. Right? So, dynamically at runtime, that macro will be replaced by that macro body by Splunk search. Okay? Now, when we talk about eval-based macros, it is expected that the macro is returning a string. When you use a non-eval-based macro, you can directly put the search string inside the macro. So, let me show you. Suppose I want to calculate total salary based on this formula: called basic salary. Let me show you. Basic salary plus basic into the percentage--variable percent. Okay? So, to do that--to create any macro from the Splunk UI--this is how you do it. You'll go to Settings. We go to Advanced Search. Okay? From there, if you see, there is an option called Search Macros. You go there. You select your app from there. So, I'll be creating this macro in my TMDB app. So, I have selected TMDB over here, then New Search Macro. Okay? If you see the destination, I've already selected it as TMDB. I'll give it a name. Let's say, total salary. Okay? So now, whether a macro is eval-based or not is determined by this checkbox. If you check this one, it will be an eval-based macro. If you don't check this one, it will be a non-eval-based macro. So first, we'll discuss the non-eval-based macro. So, what I am trying to say is--whenever we are creating a non-eval-based macro, we can directly give a search string over there. So, my search string will be something like this. I'll be creating a new field called total salary. So, that's why eval total_salary =. Now, I'll be passing this to my basic salary and variable percent to this macro. Right? To do that, what I'll do is create arguments for this macro: basic salary. So, in the argument section, you'll be giving these two things: basic salary and variable percent. That's two arguments. As the macro has two arguments, it is mandatory that in this Name section, you give how many number of arguments you have in your macro. If it is one, you have to give one here. Okay? Now the formula is: my basic salary. Now, this basic salary is my input variable. Right? So, to access input variables, you access like this--just like a token. Okay? Basic salary plus my basic salary into that variable percent. Again, as input, I am accessing. Right? Then divided by 100. So, this will be my macro body. Now, there are two options for Validation Expression and Validation Error Message. I will show you in the next macro. So, if I save it--okay. So, if you see, the macro has been created. Now, if I call this macro over here--so to call a macro, this is how you call: there is a tick mark, if you see, okay, from your keyboard, then the macro name--total salary--and it has two arguments, right? My basic salary and my variable percent, then tick end. Now, this basic salary corresponds to this basic salary, and variable percent corresponds to this variable percent field. Now, when you define the macro, I have given the same name as the macro input. You can give any input variable name over here. The same name you have to use over here as well. But when you pass the macro--pass this with basic salary and variable percent to this macro--you'll be giving the field names only. Okay? So, let us run it and see what's going on. If you see, it has created a total salary field with this formula output--4,000 plus 4,000 into 15% is 4,600. Right? So, it is basically the same as what is happening at runtime. So, if instead of total salary, I just gave this one, and instead of this token variable, I just gave my field name here, the output will be the same--variable percent. The output will be the same. So, this is also what is happening as well. So, at runtime, Splunk is replacing this macro body with these variable inputs, and then it is running the query. So ultimately, this query is getting run. Okay? But the thing is--this code, if you put it in a macro--you can call that macro anywhere in usage. So that means this code portion will be reusable now. Okay? Now, let's see an example where we can use this validation expression and validation error message. Now, validation expression is used when you want to do some kind of validation on your macro inputs. Okay? And validation error message means when this input is getting--or this validation is getting-- failed, this error message will be displayed over there. So, to do that, what I'll do is create another macro. Okay? So now, let's say, we have basic salary and variable percent. Right? Let's say we want to calculate a bonus percentage with this formula: called variable percent plus any other percent-- any number. Let's say, any number-- 7% or 8%, any number I’ll put for our inputs. It'll give me--it'll add those two percentage values and give me the bonus percent. Okay? So, to do that, I'll just create that similar macro named "bonus." Okay? So, the formula will be--again--it will be non-eval-based. Okay? eval bonus =. So, my variable percent, right, I have to provide as an input, so I'll be giving input. So, let's say this time I will rename this to something--VP. So, I'll say $VP$, then plus another input I'll be giving--let's say, bonus input. Okay? So, this bonus, I'll be adding here. Okay. Bonus. So, we have two inputs. That means we have to give two over here. Now I'll add an expression. Now, I always want this bonus to be a number. Okay? To do that--so, this validation expression has to be a Boolean expression or eval. Okay? So, if you saw my previous video, we discussed the various eval expressions. Right? And some of the expressions return Boolean--like the like operator, in operator, or isnum operator, which basically checks whether a particular input is a number or not. So, we'll be using isnum over here on this bonus. That means I am checking whether whatever I am providing as input to this bonus variable parameter is a number or not. If it is not a number, I'll give this output error message: "Bonus must be a number." Okay? So, let's save this macro. Okay? Now I will call this macro here. Let it be--my total salary macro called as--is. If I just do Ctrl+C-- okay. Here, I am calling my total salary. So just tick the output. Now, after that, I'll be calling the bonus macro. Right? So, similar way: tick, macro name, macro inputs. One of the inputs will be my variable percent, and another input maybe--let's say, 8% I want to add to the variable percent. So, what will be the output? In this case, it should create a new field called "bonus" with 15 plus 8, 20 plus 8—something like this. Okay? If you see, you can access different macros in your whole search. Okay? Now, let's say I have provided a string here--it says test. Okay. What is happening? So, if you provide a string here, that validation is getting failed. We have added over here isnum. So, that's why it is giving you this error: "Bonus must be a number." So, this is how macro input validation works. Okay. Let us continue. Now, we will discuss how to create an eval macro. So, to do that, what we'll do is--first, let me show you two things. If you remember from my previous video, we created a command called getjournals. Right? And that command takes an input with the journal ID. And if we are not giving any journal ID and we are giving *, it will give you all the journal details. Right? And also, we have... We have created a... We have indexed our data into this main index. Right? So, we have another dataset called "main" where we are having this salary and this information. Just now we are working with this dataset. So, suppose there is a requirement that, based on a certain condition, either I need to go with this dataset or I need to go with that dataset. In this type of scenario--where dynamically you have to determine which dataset to work on, or dynamically determine which search string to return-- eval macros come into the picture. Okay? Because the main concept behind an eval macro is it has to return a string. So, in that case, how you will create it is like this. Let's say, new search macro. I'll give a name called getjournal_or_mainindex. Okay? Just like a name to show you the use case of it. So, here, what I will write-- I’ll write an if or case statement. Generally, we mostly write an if or case statement for eval-based macros, so that we can have different conditions, and based on the condition, we return the search string. But ultimately, if you see, we’re returning the search string only at the end of the day-- so that Splunk will replace that macro with that search string. So, I’m saying I’ll provide the argument here. Let’s say, same argument name. So, either I’ll provide getjournal, or I’ll provide main as my argument value. Okay? I’ll show you how I provide that one. case($input$ == "getjournal", "getjournals *", $input$ == "main", "search index=main") As it is within quotes, remember that this one has to be in quotes as well. Or, when you are calling it, you have to call with quotes. I prefer it like this only so that everything is inside your macro. In that case, the string I will return is this command: getjournals *. Now, you have to be very careful over here when you deal with a generating command. If you see, getjournals is a generating command. Right? That’s why this has to be the first command in your search string. Now, for generating commands, when you run it--if you see--there is a bar (|) over here in the search bar. Right? After that only, if I run this command without this bar, nothing will come up. So, it requires this bar. But when you put this getjournals *--this generating command--inside a macro, you put it without the bar, so that when you call the macro, you’ll call with | then macro name. I’ll show you that one as well. That’s why I’m giving it without the bar here. This is important--you have to be very careful with generating commands. Because if you put the bar inside, it will not work. Now, when my input is "main"--okay--in that case, I will return the string called search index=main. Here also, another good thing is when you run index=main from your search prompt, you do not need to mention search then index=main, because that comes by default. But when you use it in a macro or somewhere else, you have to put it like this: search index=main. Okay? So, this string I’ll be returning. Since the macro has one input, I’ll be giving 1 here. Okay? For now, validation. We are not doing anything, so let’s save it. Okay? This is our third macro--getjournal_or_main. So, if I run this macro now--okay--as I said, it has a generating command, that’s why I’m giving a bar over here, then my tick, and then my input. Let’s say I’ll be giving input as getjournal. I want to work with the dataset getjournal. Okay? Let’s see. Okay. I have a bracket that’s missing over here. Save. If you see, if I run this macro again, it is giving me the same because sometimes it doesn’t take the refreshed value. So, what I’ll do in this case--just copy this code, close it, run it again. SearchFactory Unknown search command 'case'. Let’s see what’s going on. Okay. It has to be an eval-based macro because it is returning a string now. Right? So, let’s save it, and let’s rerun it. Okay. It is not-- Okay. Now, if you see, if I run this getjournal macro, it is giving me this dataset where it is running that getjournal * generating command and giving me this result. If I say main, in this case, it is giving me this dataset where I have indexed my data. So, this is how you can create an eval-based macro. Okay? So now, macros have different permissions as well. If you see from this macro list page, you can set the permissions as well. So currently, I'll show you. I'll set this permission as "this app only" and read--I'll say everyone, and write--let's say, admin. Let's do it for all the macro permissions. So, you have to be very careful with the macro permissions as well. Otherwise, any unprivileged user will not be able to run this macro, and your dashboard will not show up anything. So, read--right. Okay. Now, we have set the permissions of the macro as well. Now, let's see what's going on in the background. So, I am in my Splunk home. I'll go to etc/apps/tmdb_app/, and I'll go to my local folder. If you see, whenever you create a macro, it creates another conf file called macros.conf. I'll open this file. And if you see all the different macros we have created, it creates separate stanzas for each macro name with all the input numbers. Right? And args are the inputs of these macros. Right? For bonus, if you see here, my arguments are VP and bonus. Right? Two arguments--those are showing up here. This is the macro definition. This is the error message you set for this macro. This is the validation you have set for this macro. And iseval is telling you whether this macro is eval-based or not. As our last macro, getjournal_or_main, is eval-based, that's why iseval is 1. For the rest of the two macros, iseval is 0. Okay? Now, you can call a macro inside another macro. So, to do that, let's do this exercise where we have created this totalsalary, right? And also bonus. So, inside totalsalary, we'll try to call this bonus one. To do that, I'll do one thing. I'll clone this totalsalary macro. No--let's just get a new one only. Let's say, totalsalary_v2 (version two). Okay? So, what I will do--it will not be an eval-based macro. Let's say my previous one was eval, right? So, it has two arguments: basic_salary and variable_percent. Right? Now, I'll be adding this bonus as well. So, bonus requires another extra input called bonus, right? So, I'll be adding this as an extra input--comma, this. So, my total macro inputs will be three. basic_salary and variable_percent will be used here, and variable_percent and bonus will be used in another eval statement, which you'll be calling in this bonus macro. Right? So, in this case, I'll be calling this bonus macro inside. So, I'll set this one—pipe, then my bonus macro. bonus macro takes two arguments. One is variable_percent, and another is bonus. So, variable_percent I'll pass, and I'll pass this bonus as well. So, ideally, the behavior should be the same as we have seen before. Right? So, done. Tick. Okay. Now, let's save it. Okay. So, totalsalary_v2. So, before we do that, let us run our macro. So, I'll just copy-paste that code portion here. Right. So, I'll just copy-paste this code portion here. It's mac_totalsalary_non--okay, I think my macro is totalsalary. It It has mismatched parenthesis. Okay. Okay. So, it has created this one. In this new field, in the new search field, what I'll do is--after this one-- I'll be calling my totalsalary_v2 macro. Okay? Where it is doing the work of both of these two--bonus and totalsalary. Right? So, totalsalary_v2. Okay. So, my tick--v2. v2 requires three arguments. One is my basic_salary, variable_percent, and the similar percent value--I'll give 8 so that we can at least compare the outputs. So, if I run this one--see-- it is working in the same way, where it is getting this bonus field and totalsalary. And if you see, the output is same as well. $15.22. We have given 7 here. Okay. Let's run it with 7 only. So, if you see--15.22, 20.22, 17.10, 17 like this. Okay? So, this is how you can call a macro inside another macro as well. So, if you see here, by this structure, you can achieve a very complex structure as well--a complex structure which is basically a reusable component in Splunk search queries. Okay? So, this is what you need to know, basically, to deal with macros. And macros are very useful in Splunk because not only do they give you the modularity approach, but also they give you a very short search string and very readable code as well. Okay? See you in the next video.