WEBVTT 00:00:00.030 --> 00:00:02.939 Okay. Today, we'll discuss Splunk 00:00:02.939 --> 00:00:06.240 macros. Okay. So, Splunk macros--you can 00:00:06.240 --> 00:00:09.090 think of them as reusable components in 00:00:09.090 --> 00:00:12.960 your Splunk search where, suppose a 00:00:12.960 --> 00:00:15.870 particular search portion is 00:00:15.870 --> 00:00:18.930 if you used many times, then you 00:00:18.930 --> 00:00:20.460 can put it in a macro so that you can 00:00:20.460 --> 00:00:23.580 call that macro, and the macro will be 00:00:23.580 --> 00:00:26.310 replaced at runtime with that search string. 00:00:26.310 --> 00:00:28.920 Okay? So, macros are very, very useful when, 00:00:28.920 --> 00:00:31.890 suppose you have many dashboards in your 00:00:31.890 --> 00:00:34.590 application. And in all these dashboards, you 00:00:34.590 --> 00:00:38.670 have some search which is running in all 00:00:38.670 --> 00:00:41.610 the dashboards. Right? So, in this case, you 00:00:41.610 --> 00:00:43.410 can implement that search portion in a 00:00:43.410 --> 00:00:45.680 macro so that you can just call that macro 00:00:45.680 --> 00:00:47.850 instead of using the whole search string in 00:00:47.850 --> 00:00:50.370 your dashboards. So, in the future, if you 00:00:50.370 --> 00:00:52.440 want to make any changes in that search 00:00:52.440 --> 00:00:55.140 logic, we'll just change it in 00:00:55.140 --> 00:00:58.530 one place--in that macro body. Okay? 00:00:58.530 --> 00:01:01.350 So, by implementing a macro, basically, we 00:01:01.350 --> 00:01:04.170 are achieving two things. One is the 00:01:04.170 --> 00:01:06.930 modularity of your code--easy 00:01:06.930 --> 00:01:09.630 maintenance of your code--as well as 00:01:09.630 --> 00:01:11.250 your search string will be much 00:01:11.250 --> 00:01:15.720 smaller. Okay? So, there are 00:01:15.720 --> 00:01:18.689 two different types of macros we 00:01:18.689 --> 00:01:20.580 generally deal with. One is an eval-based 00:01:20.580 --> 00:01:23.189 macro, and another is a non-eval-based 00:01:23.189 --> 00:01:26.400 macro. So, before we discuss those things, 00:01:26.400 --> 00:01:29.790 let me show you the data I have here. 00:01:29.790 --> 00:01:32.909 So, I have some people's names, their 00:01:32.909 --> 00:01:36.270 basic salary, and variable percent. So, 00:01:36.270 --> 00:01:40.670 I'll show you how to create an eval-based macro, 00:01:40.670 --> 00:01:42.420 how to create a non-eval-based 00:01:42.420 --> 00:01:43.710 macro, what the differences are 00:01:43.710 --> 00:01:47.939 between them, and then how to call a 00:01:47.939 --> 00:01:49.860 macro instead of the macro also. We'll try to 00:01:49.860 --> 00:01:52.470 discuss that one. Because first, let us 00:01:52.470 --> 00:01:56.759 see how we can create a non-eval macro. 00:01:56.759 --> 00:02:00.409 So now, an eval macro and a non-eval macro-- 00:02:00.409 --> 00:02:03.600 if you see functionality-wise, both are the 00:02:03.600 --> 00:02:07.020 same. So, when we define a macro--the macro 00:02:07.020 --> 00:02:09.890 body--you are giving the search string. Right? So, 00:02:09.890 --> 00:02:12.900 dynamically at runtime, that 00:02:12.900 --> 00:02:15.670 macro will be replaced 00:02:15.670 --> 00:02:18.160 by that macro body by Splunk search. 00:02:18.160 --> 00:02:22.810 Okay? Now, when we talk about eval-based 00:02:22.810 --> 00:02:26.500 macros, it is expected that the macro is 00:02:26.500 --> 00:02:31.050 returning a string. When you use a non-eval-based macro, 00:02:31.050 --> 00:02:32.140 you can directly put the 00:02:32.140 --> 00:02:34.210 search string inside the macro. So, let me 00:02:34.210 --> 00:02:37.240 show you. Suppose I want to calculate 00:02:37.240 --> 00:02:40.000 total salary based on this formula: 00:02:40.000 --> 00:02:43.240 called basic salary. Let me show you. 00:02:43.240 --> 00:02:50.340 Basic salary plus basic into the 00:02:50.340 --> 00:02:54.160 percentage--variable 00:02:54.160 --> 00:02:58.390 percent. Okay? So, to do that--to create any 00:02:58.390 --> 00:03:01.180 macro from the Splunk UI--this is how you 00:03:01.180 --> 00:03:03.850 do it. You'll go to Settings. We go to 00:03:03.850 --> 00:03:08.170 Advanced Search. Okay? From there, if you 00:03:08.170 --> 00:03:11.560 see, there is an option called Search Macros. 00:03:11.560 --> 00:03:13.270 You go there. You select your app 00:03:13.270 --> 00:03:15.520 from there. So, I'll be creating this 00:03:15.520 --> 00:03:17.800 macro in my TMDB app. So, I have selected 00:03:17.800 --> 00:03:20.850 TMDB over here, then New Search Macro. 00:03:20.850 --> 00:03:23.709 Okay? If you see the destination, I've 00:03:23.709 --> 00:03:26.410 already selected it as TMDB. I'll give it a 00:03:26.410 --> 00:03:36.150 name. Let's say, total salary. Okay? So now, 00:03:36.150 --> 00:03:39.220 whether a macro is eval-based or not is 00:03:39.220 --> 00:03:41.200 determined by this checkbox. If you 00:03:41.200 --> 00:03:43.020 check this one, it will be an eval-based 00:03:43.020 --> 00:03:45.489 macro. If you don't check this one, 00:03:45.489 --> 00:03:48.220 it will be a non-eval-based macro. So 00:03:48.220 --> 00:03:50.670 first, we'll discuss the non-eval-based macro. 00:03:50.670 --> 00:03:51.730 So, what I am trying to say 00:03:51.730 --> 00:03:55.180 is--whenever we 00:03:55.180 --> 00:03:57.459 are creating a non-eval-based macro, we 00:03:57.459 --> 00:03:59.110 can directly give a search string over 00:03:59.110 --> 00:04:01.270 there. So, my search string will be 00:04:01.270 --> 00:04:03.160 something like this. I'll be creating a 00:04:03.160 --> 00:04:05.890 new field called total salary. So, that's 00:04:05.890 --> 00:04:13.510 why eval total_salary =. Now, 00:04:13.510 --> 00:04:17.380 I'll be passing this to my basic 00:04:17.380 --> 00:04:19.870 salary and variable percent to this 00:04:19.870 --> 00:04:22.720 macro. Right? To do that, what I'll do 00:04:22.720 --> 00:04:26.080 is create arguments for this macro: 00:04:26.080 --> 00:04:28.300 basic salary. So, in the argument 00:04:28.300 --> 00:04:32.550 section, you'll be giving 00:04:32.550 --> 00:04:35.710 these two things: basic salary and 00:04:35.710 --> 00:04:40.360 variable percent. That's two arguments. As the 00:04:40.360 --> 00:04:42.789 macro has two arguments, it is mandatory 00:04:42.789 --> 00:04:46.780 that in this Name section, you give how 00:04:46.780 --> 00:04:48.819 many number of arguments you have in 00:04:48.819 --> 00:04:50.830 your macro. If it is one, you have to give 00:04:50.830 --> 00:04:55.629 one here. Okay? Now the formula is: my 00:04:55.629 --> 00:04:59.139 basic salary. Now, this basic salary is my 00:04:59.139 --> 00:05:03.009 input variable. Right? So, to access input 00:05:03.009 --> 00:05:04.780 variables, you access like this--just like 00:05:04.780 --> 00:05:11.770 a token. Okay? Basic salary plus my basic 00:05:11.770 --> 00:05:21.159 salary into that variable percent. Again, 00:05:21.159 --> 00:05:26.319 as input, I am accessing. Right? Then 00:05:26.319 --> 00:05:29.849 divided by 100. So, this will be my 00:05:29.849 --> 00:05:33.759 macro body. Now, there are two options 00:05:33.759 --> 00:05:35.229 for Validation Expression and Validation 00:05:35.229 --> 00:05:36.580 Error Message. I will show you in the 00:05:36.580 --> 00:05:42.400 next macro. So, if I save it--okay. 00:05:42.400 --> 00:05:44.909 So, if you see, the macro has been created. 00:05:44.909 --> 00:05:49.509 Now, if I call this macro over here--so to 00:05:49.509 --> 00:05:51.520 call a macro, this is how you call: there 00:05:51.520 --> 00:05:54.400 is a tick mark, if you see, okay, from your 00:05:54.400 --> 00:06:01.060 keyboard, then the macro name--total 00:06:01.060 --> 00:06:04.690 salary--and it has two arguments, right? My 00:06:04.690 --> 00:06:08.699 basic salary and my variable percent, 00:06:08.699 --> 00:06:13.150 then tick end. Now, this basic salary 00:06:13.150 --> 00:06:15.129 corresponds to this basic salary, and 00:06:15.129 --> 00:06:16.719 variable percent corresponds to this 00:06:16.719 --> 00:06:18.069 variable percent field. 00:06:18.069 --> 00:06:21.279 Now, when you define the macro, I have 00:06:21.279 --> 00:06:23.050 given the same name as the macro input. You 00:06:23.050 --> 00:06:26.080 can give any input variable name 00:06:26.080 --> 00:06:28.000 over here. The same name you have to use 00:06:28.000 --> 00:06:30.580 over here as well. But when you pass the 00:06:30.580 --> 00:06:33.759 macro--pass this with basic salary and variable 00:06:33.759 --> 00:06:35.860 percent to this macro--you'll be giving 00:06:35.860 --> 00:06:37.449 the field names only. Okay? 00:06:37.449 --> 00:06:40.270 So, let us run it and see what's going on. 00:06:40.270 --> 00:06:43.889 If you see, it has created a total salary 00:06:43.889 --> 00:06:47.650 field with this formula output--4,000 plus 00:06:47.650 --> 00:06:51.819 4,000 into 15% is 4,600. Right? So, it is 00:06:51.819 --> 00:06:54.639 basically the same as what is 00:06:54.639 --> 00:06:58.120 happening at runtime. So, if 00:06:58.120 --> 00:07:00.099 instead of total salary, I just gave 00:07:00.099 --> 00:07:04.300 this one, and instead of this token 00:07:04.300 --> 00:07:07.960 variable, I just gave my field name here, 00:07:07.960 --> 00:07:14.490 the output will be the same--variable percent. 00:07:14.490 --> 00:07:18.520 The output will be the same. So, this is also 00:07:18.520 --> 00:07:21.490 what is happening as well. So, at runtime, 00:07:21.490 --> 00:07:25.060 Splunk is replacing this macro body with 00:07:25.060 --> 00:07:28.029 these variable inputs, and then it is 00:07:28.029 --> 00:07:29.710 running the query. So ultimately, this 00:07:29.710 --> 00:07:32.740 query is getting run. Okay? But the 00:07:32.740 --> 00:07:34.960 thing is--this code, if you put it in 00:07:34.960 --> 00:07:36.909 a macro--you can call that macro anywhere 00:07:36.909 --> 00:07:39.129 in usage. So that means this code 00:07:39.129 --> 00:07:42.490 portion will be reusable now. Okay? Now, 00:07:42.490 --> 00:07:46.149 let's see an example where we can use 00:07:46.149 --> 00:07:47.680 this validation expression and 00:07:47.680 --> 00:07:49.270 validation error message. Now, 00:07:49.270 --> 00:07:51.699 validation expression is used when you 00:07:51.699 --> 00:07:54.819 want to do some kind of validation on 00:07:54.819 --> 00:08:00.279 your macro inputs. Okay? And validation 00:08:00.279 --> 00:08:02.830 error message means when this input is 00:08:02.830 --> 00:08:04.749 getting--or this validation is getting-- 00:08:04.749 --> 00:08:06.430 failed, this error message will be 00:08:06.430 --> 00:08:09.459 displayed over there. So, to do that, what 00:08:09.459 --> 00:08:14.639 I'll do is create another macro. 00:08:14.639 --> 00:08:20.110 Okay? So now, let's say, we have basic 00:08:20.110 --> 00:08:22.569 salary and variable percent. Right? Let's 00:08:22.569 --> 00:08:24.789 say we want to calculate a bonus 00:08:24.789 --> 00:08:27.669 percentage with this formula: called 00:08:27.669 --> 00:08:32.349 variable percent plus any other percent-- 00:08:32.349 --> 00:08:35.620 any number. Let's say, any number-- 00:08:35.620 --> 00:08:37.930 7% or 8%, any number 00:08:37.930 --> 00:08:40.539 I’ll put for our inputs. It'll give me--it'll 00:08:40.539 --> 00:08:43.060 add those two percentage values and 00:08:43.060 --> 00:08:45.610 give me the bonus percent. Okay? So, to do 00:08:45.610 --> 00:08:48.279 that, I'll just create that similar 00:08:48.279 --> 00:08:51.110 macro named "bonus." 00:08:52.110 --> 00:08:56.680 Okay? So, the formula will be--again--it 00:08:56.680 --> 00:09:09.570 will be non-eval-based. Okay? eval bonus =. 00:09:09.570 --> 00:09:13.839 So, my variable percent, right, 00:09:13.839 --> 00:09:16.270 I have to provide as an input, so I'll be 00:09:16.270 --> 00:09:18.790 giving input. So, let's say this time I 00:09:18.790 --> 00:09:21.610 will rename this to something--VP. So, 00:09:21.610 --> 00:09:27.810 I'll say $VP$, then plus 00:09:27.810 --> 00:09:30.580 another input I'll be giving--let's say, 00:09:30.580 --> 00:09:36.540 bonus input. Okay? So, this bonus, I'll be 00:09:36.540 --> 00:09:42.190 adding here. Okay. Bonus. So, we have two 00:09:42.190 --> 00:09:44.080 inputs. That means we have to give two 00:09:44.080 --> 00:09:47.440 over here. Now I'll add an expression. Now, 00:09:47.440 --> 00:09:50.260 I always want this bonus to be a number. 00:09:50.260 --> 00:09:53.589 Okay? To do that--so, this validation 00:09:53.589 --> 00:09:55.690 expression has to be a Boolean 00:09:55.690 --> 00:09:59.079 expression or eval. Okay? So, if you saw my 00:09:59.079 --> 00:10:01.209 previous video, we discussed the 00:10:01.209 --> 00:10:04.390 various eval expressions. Right? And some 00:10:04.390 --> 00:10:06.160 of the expressions return Boolean--like 00:10:06.160 --> 00:10:08.800 the like operator, in operator, or 00:10:08.800 --> 00:10:11.770 isnum operator, which basically checks 00:10:11.770 --> 00:10:15.220 whether a particular input is a number or 00:10:15.220 --> 00:10:17.230 not. So, we'll be using isnum over 00:10:17.230 --> 00:10:20.529 here on this bonus. That means I am 00:10:20.529 --> 00:10:23.290 checking whether whatever I am providing 00:10:23.290 --> 00:10:25.380 as input to this bonus variable 00:10:25.380 --> 00:10:28.630 parameter is a number or not. If 00:10:28.630 --> 00:10:32.350 it is not a number, I'll give this 00:10:32.350 --> 00:10:36.670 output error message: "Bonus must 00:10:36.670 --> 00:10:41.490 be a number." Okay? 00:10:41.490 --> 00:10:50.110 So, let's save this macro. Okay? Now I will 00:10:50.110 --> 00:10:56.950 call this macro here. Let it be--my total 00:10:56.950 --> 00:11:01.779 salary macro called as--is. If I just do 00:11:01.779 --> 00:11:03.530 Ctrl+C-- 00:11:03.530 --> 00:11:06.530 okay. Here, I am calling my total salary. So 00:11:06.530 --> 00:11:08.930 just tick the output. Now, after that, I'll 00:11:08.930 --> 00:11:14.930 be calling the bonus macro. Right? So, 00:11:14.930 --> 00:11:17.960 similar way: tick, macro name, macro 00:11:17.960 --> 00:11:19.760 inputs. One of the inputs will be my 00:11:19.760 --> 00:11:22.820 variable percent, and another 00:11:22.820 --> 00:11:25.790 input maybe--let's say, 8% I want 00:11:25.790 --> 00:11:28.400 to add to the variable percent. So, what 00:11:28.400 --> 00:11:30.770 will be the output? In this case, it should 00:11:30.770 --> 00:11:33.560 create a new field called "bonus" with 15 00:11:33.560 --> 00:11:35.780 plus 8, 20 plus 8—something like this. 00:11:35.780 --> 00:11:39.400 Okay? If you see, you can 00:11:39.400 --> 00:11:41.870 access different macros in 00:11:41.870 --> 00:11:48.140 your whole search. Okay? Now, let's say I 00:11:48.140 --> 00:11:52.570 have provided a string here--it says test. 00:11:52.570 --> 00:11:55.280 Okay. What is happening? So, if you provide 00:11:55.280 --> 00:11:57.770 a string here, that validation is 00:11:57.770 --> 00:11:59.660 getting failed. We have added over here 00:11:59.660 --> 00:12:02.450 isnum. So, that's why it is giving you this 00:12:02.450 --> 00:12:05.510 error: "Bonus must be a number." So, this is 00:12:05.510 --> 00:12:10.250 how macro input validation works. Okay. Let 00:12:10.250 --> 00:12:15.280 us continue. Now, we will discuss 00:12:15.280 --> 00:12:18.830 how to create an eval macro. So, to do 00:12:18.830 --> 00:12:22.520 that, what we'll do is--first, let me show 00:12:22.520 --> 00:12:24.920 you two things. If you remember from my 00:12:24.920 --> 00:12:28.220 previous video, we created a command 00:12:28.220 --> 00:12:31.940 called getjournals. Right? And that 00:12:31.940 --> 00:12:33.800 command takes an input with the journal 00:12:33.800 --> 00:12:36.410 ID. And if we are not giving any journal 00:12:36.410 --> 00:12:38.780 ID and we are giving *, it will give you all 00:12:38.780 --> 00:12:41.780 the journal details. Right? And also, we 00:12:41.780 --> 00:12:47.630 have... We have created a... 00:12:47.630 --> 00:12:50.750 We have indexed our data into this main index. 00:12:50.750 --> 00:12:52.130 Right? So, we have another dataset 00:12:52.130 --> 00:12:54.200 called "main" where we are having 00:12:54.200 --> 00:12:56.270 this salary and this information. Just 00:12:56.270 --> 00:12:58.520 now we are working with this dataset. So, 00:12:58.520 --> 00:13:01.000 suppose there is a requirement that, 00:13:01.000 --> 00:13:04.730 based on a certain condition, either I need 00:13:04.730 --> 00:13:09.110 to go with this dataset or I need to go 00:13:09.110 --> 00:13:11.330 with that dataset. In this type of 00:13:11.330 --> 00:13:13.730 scenario--where dynamically you have to 00:13:13.730 --> 00:13:15.980 determine which dataset to work on, or 00:13:15.980 --> 00:13:17.329 dynamically determine 00:13:17.329 --> 00:13:22.549 which search string to return-- 00:13:22.549 --> 00:13:25.100 eval macros 00:13:25.100 --> 00:13:28.489 come into the picture. Okay? Because the 00:13:28.489 --> 00:13:31.129 main concept behind an eval macro is it has 00:13:31.129 --> 00:13:34.279 to return a string. So, in that case, how 00:13:34.279 --> 00:13:36.410 you will create it is like this. Let's say, 00:13:36.410 --> 00:13:39.529 new search macro. I'll give a name called 00:13:39.529 --> 00:13:46.579 getjournal_or_mainindex. Okay? Just 00:13:46.579 --> 00:13:48.679 like a name to show you the use 00:13:48.679 --> 00:13:51.980 case of it. So, here, what I will write-- 00:13:51.980 --> 00:13:53.899 I’ll write an if or case statement. Generally, 00:13:53.899 --> 00:13:55.489 we mostly write an if or case 00:13:55.489 --> 00:13:59.329 statement for eval-based macros, 00:13:59.329 --> 00:14:02.089 so that we can have different 00:14:02.089 --> 00:14:03.470 conditions, and based on the condition, we 00:14:03.470 --> 00:14:05.239 return the search string. But 00:14:05.239 --> 00:14:07.220 ultimately, if you see, we’re returning the 00:14:07.220 --> 00:14:09.019 search string only at the end of the day-- 00:14:09.019 --> 00:14:11.029 so that Splunk will replace that macro 00:14:11.029 --> 00:14:13.399 with that search string. So, I’m saying I’ll 00:14:13.399 --> 00:14:17.649 provide the argument here. Let’s say, 00:14:17.649 --> 00:14:21.170 same argument name. So, 00:14:21.170 --> 00:14:23.360 either I’ll provide getjournal, or I’ll 00:14:23.360 --> 00:14:25.879 provide main as my argument 00:14:25.879 --> 00:14:27.980 value. Okay? I’ll show you how I 00:14:27.980 --> 00:14:29.289 provide that one. 00:14:29.289 --> 00:14:42.340 case($input$ == "getjournal", "getjournals *", $input$ == "main", "search index=main") 00:14:42.340 --> 00:14:46.639 As it is within quotes, remember that this one 00:14:46.639 --> 00:14:49.699 has to be in quotes as well. Or, when you are 00:14:49.699 --> 00:14:51.559 calling it, you have to call with 00:14:51.559 --> 00:14:53.839 quotes. I prefer it like this only so 00:14:53.839 --> 00:14:55.610 that everything is inside your 00:14:55.610 --> 00:14:58.699 macro. In that case, the string I 00:14:58.699 --> 00:15:04.999 will return is this command: getjournals *. 00:15:04.999 --> 00:15:07.129 Now, you have to be very careful over 00:15:07.129 --> 00:15:10.459 here when you deal with a generating 00:15:10.459 --> 00:15:11.869 command. If you see, getjournals is a 00:15:11.869 --> 00:15:13.610 generating command. Right? That’s why this 00:15:13.610 --> 00:15:15.019 has to be the first command in your 00:15:15.019 --> 00:15:19.869 search string. Now, for generating commands, 00:15:19.869 --> 00:15:22.549 when you run it--if you see--there is a 00:15:22.549 --> 00:15:25.220 bar (|) over here in the search bar. Right? After 00:15:25.220 --> 00:15:27.049 that only, if I run this command without 00:15:27.049 --> 00:15:29.810 this bar, nothing will come up. So, 00:15:29.810 --> 00:15:32.149 it requires this bar. But when you put 00:15:32.149 --> 00:15:35.480 this getjournals *--this generating 00:15:35.480 --> 00:15:38.959 command--inside a macro, you put it 00:15:38.959 --> 00:15:41.089 without the bar, so that when you call 00:15:41.089 --> 00:15:43.939 the macro, you’ll call with | then 00:15:43.939 --> 00:15:45.319 macro name. I’ll show you that one as 00:15:45.319 --> 00:15:47.660 well. That’s why I’m giving it without 00:15:47.660 --> 00:15:50.540 the bar here. This is important--you have to be very 00:15:50.540 --> 00:15:53.110 careful with generating commands. 00:15:53.110 --> 00:15:55.309 Because if you put the bar inside, it will 00:15:55.309 --> 00:16:01.069 not work. Now, when my input is "main"--okay--in 00:16:01.069 --> 00:16:04.579 that case, I will return the string 00:16:04.579 --> 00:16:10.309 called search index=main. Here 00:16:10.309 --> 00:16:12.620 also, another good thing is when you run 00:16:12.620 --> 00:16:14.540 index=main from your search 00:16:14.540 --> 00:16:16.670 prompt, you do not need to mention 00:16:16.670 --> 00:16:18.680 search then index=main, 00:16:18.680 --> 00:16:21.829 because that comes by default. But 00:16:21.829 --> 00:16:23.899 when you use it in a macro or somewhere 00:16:23.899 --> 00:16:24.230 else, 00:16:24.230 --> 00:16:27.110 you have to put it like this: search 00:16:27.110 --> 00:16:31.160 index=main. Okay? So, this string I’ll 00:16:31.160 --> 00:16:33.350 be returning. Since the macro has one 00:16:33.350 --> 00:16:37.069 input, I’ll be giving 1 here. Okay? For now, 00:16:37.069 --> 00:16:39.230 validation. We are not doing anything, 00:16:39.230 --> 00:16:44.389 so let’s save it. Okay? This is our third 00:16:44.389 --> 00:16:48.769 macro--getjournal_or_main. So, if I 00:16:48.769 --> 00:16:53.750 run this macro now--okay--as I said, it 00:16:53.750 --> 00:16:56.149 has a generating command, that’s why I’m 00:16:56.149 --> 00:16:59.959 giving a bar over here, then my tick, and 00:16:59.959 --> 00:17:03.680 then my input. Let’s say I’ll be giving 00:17:03.680 --> 00:17:09.530 input as getjournal. I 00:17:09.530 --> 00:17:13.290 want to work with the dataset getjournal. Okay? 00:17:13.290 --> 00:17:21.220 Let’s see. Okay. I have a 00:17:21.220 --> 00:17:28.370 bracket that’s missing over here. Save. 00:17:28.370 --> 00:17:30.020 If you see, if I run this macro again, it 00:17:30.020 --> 00:17:31.640 is giving me the same because sometimes it 00:17:31.640 --> 00:17:34.520 doesn’t take the refreshed value. 00:17:34.520 --> 00:17:36.620 So, what I’ll do in this case--just copy 00:17:36.620 --> 00:17:41.690 this code, close it, run it again. 00:17:41.690 --> 00:17:43.770 SearchFactory Unknown search command 00:17:43.770 --> 00:17:55.850 'case'. Let’s see what’s going on. Okay. It 00:17:55.850 --> 00:17:58.280 has to be an eval-based macro because it is 00:17:58.280 --> 00:18:01.190 returning a string now. Right? So, let’s 00:18:01.190 --> 00:18:10.760 save it, and let’s rerun it. Okay. It is not-- Okay. Now, if you 00:18:10.760 --> 00:18:13.910 see, if I run this getjournal macro, 00:18:13.910 --> 00:18:15.410 it is giving me this dataset where it 00:18:15.410 --> 00:18:17.230 is running that getjournal * 00:18:17.230 --> 00:18:19.130 generating command and giving me this 00:18:19.130 --> 00:18:23.510 result. If I say main, in this case, it is 00:18:23.510 --> 00:18:26.090 giving me this dataset where I have 00:18:26.090 --> 00:18:29.750 indexed my data. So, this is how you can 00:18:29.750 --> 00:18:33.020 create an eval-based macro. Okay? So now, 00:18:33.020 --> 00:18:36.770 macros have different permissions as 00:18:36.770 --> 00:18:39.590 well. If you see from this macro 00:18:39.590 --> 00:18:44.090 list page, you can set the 00:18:44.090 --> 00:18:46.430 permissions as well. So currently, I'll 00:18:46.430 --> 00:18:48.050 show you. I'll set this permission as 00:18:48.050 --> 00:18:50.330 "this app only" and read--I'll say 00:18:50.330 --> 00:18:52.940 everyone, and write--let's say, admin. Let's 00:18:52.940 --> 00:18:57.380 do it for all the macro permissions. So, 00:18:57.380 --> 00:18:58.520 you have to be very careful with the 00:18:58.520 --> 00:19:02.480 macro permissions as well. Otherwise, any 00:19:02.480 --> 00:19:04.520 unprivileged user will not be able to 00:19:04.520 --> 00:19:07.100 run this macro, and your dashboard will 00:19:07.100 --> 00:19:11.890 not show up anything. So, read--right. Okay. 00:19:11.890 --> 00:19:14.330 Now, we have set the permissions of the 00:19:14.330 --> 00:19:17.120 macro as well. Now, let's see what's going 00:19:17.120 --> 00:19:19.490 on in the background. So, I am in my 00:19:19.490 --> 00:19:24.990 Splunk home. I'll go to etc/apps/tmdb_app/, 00:19:24.990 --> 00:19:26.990 and I'll go to my local folder. If 00:19:26.990 --> 00:19:28.970 you see, whenever you create a macro, 00:19:28.970 --> 00:19:31.220 it creates another conf file called 00:19:31.220 --> 00:19:34.100 macros.conf. I'll open this file. And 00:19:34.100 --> 00:19:37.190 if you see all the different macros we have 00:19:37.190 --> 00:19:39.080 created, it creates separate 00:19:39.080 --> 00:19:43.040 stanzas for each macro name with all 00:19:43.040 --> 00:19:45.920 the input numbers. Right? And args are the 00:19:45.920 --> 00:19:49.070 inputs of these macros. Right? For bonus, if 00:19:49.070 --> 00:19:52.820 you see here, my arguments are 00:19:52.820 --> 00:19:55.520 VP and bonus. Right? Two arguments--those are 00:19:55.520 --> 00:19:56.840 showing up here. This is 00:19:56.840 --> 00:19:59.240 the macro definition. This is the error 00:19:59.240 --> 00:20:02.029 message you set for this macro. This 00:20:02.029 --> 00:20:03.320 is the validation you have set for 00:20:03.320 --> 00:20:06.470 this macro. And iseval is telling 00:20:06.470 --> 00:20:08.480 you whether this macro is eval-based or 00:20:08.480 --> 00:20:11.519 not. As our last macro, getjournal_or_main, 00:20:11.519 --> 00:20:13.789 is eval-based, that's why iseval is 00:20:13.789 --> 00:20:16.130 1. For the rest of the two macros, iseval 00:20:16.130 --> 00:20:21.080 is 0. Okay? Now, you can call a 00:20:21.080 --> 00:20:23.779 macro inside another macro. So, to 00:20:23.779 --> 00:20:26.690 do that, let's do this exercise where we 00:20:26.690 --> 00:20:28.490 have created this totalsalary, right? 00:20:28.490 --> 00:20:29.929 And also bonus. 00:20:29.929 --> 00:20:31.940 So, inside totalsalary, we'll try to 00:20:31.940 --> 00:20:35.059 call this bonus one. To do that, I'll 00:20:35.059 --> 00:20:38.819 do one thing. I'll clone this totalsalary macro. 00:20:38.819 --> 00:20:40.309 No--let's just 00:20:40.309 --> 00:20:51.348 get a new one only. Let's say, totalsalary_v2 (version two). 00:20:51.348 --> 00:20:53.870 Okay? So, what I will do--it will 00:20:53.870 --> 00:20:57.200 not be an eval-based macro. Let's say my 00:20:57.200 --> 00:21:01.850 previous one was eval, right? So, 00:21:01.850 --> 00:21:06.200 it has two arguments: basic_salary and 00:21:06.200 --> 00:21:11.149 variable_percent. Right? Now, I'll be 00:21:11.149 --> 00:21:14.419 adding this bonus as well. So, bonus 00:21:14.419 --> 00:21:16.279 requires another extra input called 00:21:16.279 --> 00:21:19.460 bonus, right? So, I'll be adding this as 00:21:19.460 --> 00:21:23.179 an extra input--comma, this. So, my total 00:21:23.179 --> 00:21:27.020 macro inputs will be three. basic_salary 00:21:27.020 --> 00:21:29.750 and variable_percent will be used 00:21:29.750 --> 00:21:33.020 here, and variable_percent and bonus will be 00:21:33.020 --> 00:21:35.659 used in another eval statement, 00:21:35.659 --> 00:21:37.730 which you'll be calling in this 00:21:37.730 --> 00:21:40.760 bonus macro. Right? So, in this case, I'll 00:21:40.760 --> 00:21:44.360 be calling this bonus macro inside. So, 00:21:44.360 --> 00:21:48.830 I'll set this one—pipe, then my bonus 00:21:48.830 --> 00:21:51.549 macro. bonus macro takes two arguments. 00:21:51.549 --> 00:21:54.830 One is variable_percent, and another is 00:21:54.830 --> 00:21:59.659 bonus. So, variable_percent I'll pass, and 00:21:59.659 --> 00:22:04.370 I'll pass this bonus as well. So, ideally, 00:22:04.370 --> 00:22:06.740 the behavior should be the same as we have 00:22:06.740 --> 00:22:10.530 seen before. Right? So, 00:22:10.530 --> 00:22:18.750 done. Tick. Okay. Now, let's save it. Okay. 00:22:18.750 --> 00:22:21.690 So, totalsalary_v2. So, before we do 00:22:21.690 --> 00:22:27.030 that, let us run our macro. So, I'll 00:22:27.030 --> 00:22:31.669 just copy-paste that code portion here. 00:22:31.669 --> 00:22:35.850 Right. So, I'll just copy-paste this code 00:22:35.850 --> 00:22:37.880 portion here. 00:22:37.880 --> 00:22:41.190 It's mac_totalsalary_non--okay, I 00:22:41.190 --> 00:22:46.384 think my macro is totalsalary. It 00:22:54.260 --> 00:23:00.000 It has mismatched parenthesis. Okay. Okay. So, 00:23:00.000 --> 00:23:03.000 it has created this one. In this new 00:23:03.000 --> 00:23:06.330 field, in the new search field, what I'll 00:23:06.330 --> 00:23:09.510 do is--after this one-- 00:23:09.510 --> 00:23:14.460 I'll be calling my totalsalary_v2 macro. 00:23:14.460 --> 00:23:16.020 Okay? Where it is doing 00:23:16.020 --> 00:23:18.480 the work of both of these two--bonus and 00:23:18.480 --> 00:23:22.150 totalsalary. Right? So, totalsalary_v2. 00:23:22.150 --> 00:23:27.720 Okay. So, my tick--v2. v2 00:23:27.720 --> 00:23:29.580 requires three arguments. One 00:23:29.580 --> 00:23:32.220 is my basic_salary, variable_percent, and 00:23:32.220 --> 00:23:35.039 the similar percent value--I'll give 8 00:23:35.039 --> 00:23:36.929 so that we can at least compare 00:23:36.929 --> 00:23:41.340 the outputs. So, if I run this one--see-- 00:23:41.340 --> 00:23:42.720 it is working in the same way, 00:23:42.720 --> 00:23:45.150 where it is getting this bonus field and 00:23:45.150 --> 00:23:46.860 totalsalary. And if you see, the output 00:23:46.860 --> 00:23:49.549 is same as well. 00:23:49.549 --> 00:23:53.700 $15.22. We have given 7 here. Okay. 00:23:53.700 --> 00:23:57.600 Let's run it with 7 only. So, 00:23:57.600 --> 00:24:01.770 if you see--15.22, 20.22, 17.10, 17 like this. 00:24:01.770 --> 00:24:05.610 Okay? So, this is how you can call a macro 00:24:05.610 --> 00:24:08.370 inside another macro as well. So, if you 00:24:08.370 --> 00:24:11.940 see here, by this structure, you 00:24:11.940 --> 00:24:14.850 can achieve a very complex structure as 00:24:14.850 --> 00:24:18.179 well--a complex structure which 00:24:18.179 --> 00:24:20.250 is basically a reusable component in 00:24:20.250 --> 00:24:24.210 Splunk search queries. Okay? So, this is what 00:24:24.210 --> 00:24:26.520 you need to know, basically, to deal with 00:24:26.520 --> 00:24:29.790 macros. And macros are very useful in 00:24:29.790 --> 00:24:32.760 Splunk because not only do they give 00:24:32.760 --> 00:24:36.240 you the modularity approach, but also 00:24:36.240 --> 00:24:38.820 they give you a very short 00:24:38.820 --> 00:24:41.630 search string and very readable code as well. 00:24:41.630 --> 00:24:43.700 Okay? See you in the next video.