-
okay today we will discuss about plan
-
macros okay so his plan macros you can
-
think of it as a reusable component in
-
your Splunk search where suppose a
-
particular search portion if it is using
-
if you are using many times mmm then you
-
can put it in a macro so that you can
-
call that micro and the macro will be
-
replaced runtime with that search string
-
okay so macros are very very useful when
-
suppose you have many dashboards in your
-
application and in all this - but you
-
have some search which is running in all
-
the - boots right so in this case you
-
can implement that such portion in a
-
macro where you can just call that macro
-
instead of this whole search string in
-
your dashboards so in the future if you
-
want to do any changes in that search
-
logic you will just change into the into
-
one place in that in macro body okay so
-
so by implementing macro basically we
-
are achieving two things one is the
-
modularity of your code easily
-
maintaining of your code and as well as
-
your search string will be very much
-
smaller okay so there are there are
-
couple - two different types of macro we
-
generally deals with one is eval based
-
macro and there is no an evil based
-
macro so before we discuss those things
-
let me show you the data I have it here
-
so I have some people name and their
-
basic salary and and variable percent so
-
I'll show you to how to create evil
-
waste macro how to create non evil West
-
Metro and what are the differences
-
between them and and then how to call
-
macarons at a macro also we will try to
-
discuss that one okay so first let us
-
see how we can create a non evil macro
-
so now an evil macro and honorable macro
-
if you see functionality-wise both are
-
same so when we define a macro the macro
-
body you are giving this string right so
-
dynamically in the run time
-
macro will be definite will be replaced
-
by that macro body by spelling search
-
okay now when we talk about evil waste
-
macro it is expected that the macro is
-
returning a string when you use non evil
-
waste macro you can directly put the
-
search string inside the macro so let me
-
show you suppose I wanted to calculate
-
total salary based on this formula
-
called basic salary let me show you
-
basic salary plus basic into that
-
percentage variable percentage variable
-
percent okay so to do that to create any
-
macro from the Splunk uy this is how you
-
do it we'll go to settings we go to
-
advanced search okay from there if you
-
see there is a option called such Mac
-
rooms you go there you select your app
-
from there so I'll be creating this
-
matter in my tmdb app so I have selected
-
tmdb over here then new search macro
-
okay if you see the destination I've
-
already selected as TM GB I'll give it a
-
name let's say total salary okay so now
-
whether a macro is evil waste or not
-
determined by this check box if you
-
check this one it will be well waste
-
macro if you don't just check this one
-
it will be a non evil West macro so the
-
first we will discuss about non evil
-
missed macro so what I am trying to say
-
is when you what I said is whenever we
-
are creating a non evil West micro we
-
can directly give a search string over
-
there so my search team will be
-
something like this I will be creating a
-
new field called total salary so that's
-
why that evil total salary equals to now
-
I will be passing this to my basic
-
salary and variable percent to this
-
macro right row do that what I will do
-
I'll create a argument of this macro
-
in basic salary so in the argument
-
section you will be giving control see
-
these two things basic salary and
-
variable percent as two arguments as the
-
macro has two arguments it is mandatory
-
that in this name section you give how
-
many number of arguments you have in
-
your macro if it is one you have to give
-
one here okay now the formula is my
-
basic salary now this basic salary is my
-
input variable right so to access input
-
variable you access like this just like
-
it token okay basic salary plus my basic
-
salary into that variable percent again
-
as input I am accessing right then
-
divide it by 100 so this will be minus
-
macro body now there is a two options
-
for validation expression interrogation
-
error message I will show you in the
-
next macro see if I save it okay
-
so if you see the macro has been created
-
now if I call this macro over here so to
-
call a macro this is how you call there
-
is a tick mark if you see okay from your
-
keyboard then the macro name total
-
salary and it has two arguments right my
-
basic salary and my variable percent
-
then tick end now this basic salary is
-
corresponds to this basic salary and
-
variable person corresponds to this
-
variable person failed
-
now when you define the macro I have
-
given the same name as macro input you
-
can give any any input variable name
-
over here the same name you have to use
-
over here as well but when you pass a
-
macro pass this visix ready and variable
-
person to this macro you'll be giving
-
this field name only
-
so let us run it and see what's going on
-
if you see it has created a total salary
-
failed with this formal output 4000 plus
-
4000 into 15% is 4,600 right so it is
-
basically same as the run time what is
-
happening is something like this so if I
-
instead of total salary if I just gave
-
this one and instead of this token
-
variable I just give my flake name here
-
the output will be same variable percent
-
the output will be same so this is how
-
what is happening as well so run time
-
Splunk is replacing this macro body with
-
this variable inputs and then it is
-
running the query so ultimately this
-
squad is getting run okay so but the
-
thing is this this code if you put it in
-
a macro you can call that macro anybody
-
new such so that means that this code
-
portions will be reusable now okay now
-
let's see an example where we can use
-
this validation expression and
-
validation error message now a
-
validation expression is used when you
-
want to do some kind of validation on
-
your macro inputs okay so and validation
-
error message means when this input is
-
getting or this validation is getting
-
filled this error message will be
-
displayed over there so to do that what
-
I will do is I'll create another macro
-
okay so now let's say we have basic
-
salary and variable percent right let's
-
say we want to calculate a bonus
-
percentage with this formula called
-
variable percent variable percent plus
-
any any of the person any number let's
-
say seven percent or eight in a number
-
I'll provide inputs it will give me it
-
will add those two percentage value and
-
give me the bonus percent okay so to do
-
that I will just create that similar
-
macro name bonus
-
okay so the formula will be again it
-
will be non evil based okay eval bonus
-
equals two so my variable percent right
-
I have to provide as a input so I'll
-
giving input so let's say this time I
-
will rename this to something maybe so
-
I'll say dollar VP dollar then plus
-
another input I will be giving let's say
-
bonus input okay so this bonus I will be
-
adding here okay Nonna's so we have two
-
inputs that means we have to give two
-
over here now I'll add an expression now
-
I always want this bonus to be in number
-
okay do that i'll so this validation
-
expression has to be a boolean
-
expression or eval okay so if you saw my
-
previous video we we discussed about
-
various evil expressions right and some
-
of the expressions returns bully and the
-
strict like operator or in operator or
-
easy num operator which basically checks
-
whether a particular input is number or
-
not so you will be using is numb over
-
here on this bonus that means I am
-
checking whether whatever I am providing
-
as the input to this bonus variable
-
parameter whether it is number or not if
-
it is not number will I will give this
-
in this output error message bonus must
-
be and number okay
-
so let's save this macro okay now I will
-
call this macro here let it be my total
-
salary macro called as is if I just do
-
control see
-
okay here I'm calling my total salary so
-
to stick the output now after that I'll
-
be calling the bonus macro it's a
-
similar way tick macro named micro
-
inputs one of the inputs will be my
-
variable percent and another another
-
output may be let's say 8 percent I want
-
to add with the variable percent so what
-
will be output in this case it should
-
create a new field called bonus with 15
-
plus 8 20 plus 8 something like this
-
okay if you see you can create you can
-
access different different macros in
-
your whole search okay now let's say I
-
have provided a string here it says test
-
ok what is happening so if you provide
-
this thing here that validation is
-
getting failed we have added over here
-
is numb so that set is giving you this
-
error bonus must be a number so this is
-
how macro input validation works ok let
-
us continue now we will discuss about
-
how to create an eval macro so to do
-
that what we'll do is first let me show
-
you two things if you remember from my
-
previous video we have created a command
-
called gate churners right and that
-
common takes an input with the journal
-
ID and if we are not giving any general
-
idea giving star it will give you all
-
the journal titles right and also we
-
have a we have created a our we have
-
index our data into this main index
-
right so you have another data set
-
called main where we have we're having
-
this salary and this information just
-
now you are working with a data set so
-
suppose there is a requirement that
-
based on certain condition either I need
-
to go with this data set or I need to go
-
with this data set in this type of
-
scenario where dynamically you have to
-
determine which data set to work on or
-
dynamically
-
in which search string to which search
-
things were written that means to
-
assistant to work with eval macros are
-
coming into picture okay so because the
-
main concept behind evil macro is it has
-
to return a string so in that case how
-
we will create is like this let's say
-
new search macro I'll give a name call
-
gate channel or main index okay just
-
like the name just to show you the use
-
case of it so here what I will write I
-
will write it if or case statement
-
really mostly we light a key for case
-
statement for eval based macro so case
-
so that we can have different different
-
condition and based on the condition we
-
will be returning the search string but
-
ultimately if you see we are in the
-
start sitting only at the end of the day
-
so that Splunk will replace that macro
-
with that search string so i'm saying i
-
will provide argument here let's say
-
same same argument name let's say so
-
either i will provide gate channel or i
-
will provide main as my or argument
-
value okay i'll show you how how i
-
provide that one case i am saying my
-
input taller this one dollar is equals
-
to let us say gate channel okay as it is
-
within quotes remember that if this one
-
has to be quotes as well or when you are
-
calling you have to call with this with
-
course i prefer to be like this only so
-
that everything is in your inside your
-
macro only in that case the string I
-
will return is this kind get Jenna star
-
now you have to be very careful over
-
here when you dil Dil with a generating
-
command if you seek it generates a
-
generating comment right thats why this
-
has to be the first command in your
-
search string now for generating comment
-
when you run it if you see there is a
-
bar over here search bar right after
-
that only if I run this command without
-
this word nothing will come up
-
it requires this bar but when you put
-
this gate Jenner star this generating
-
command inside a macro so you put it
-
without the bar so that when you call
-
the macro you will call with bar then
-
macro name I will show you that one as
-
well but that's why I am giving without
-
the bar here this is this has to be very
-
careful with the generating comments
-
because if you put bar inside it will
-
not work now when my input is main ok in
-
that case I will return the string
-
called search index equals two main here
-
also another good thing is when you run
-
index equals two main from your search
-
prompt right you do not need to mention
-
search then index equals two main
-
because that is by default comes up but
-
when you use it in a macro or somewhere
-
else
-
you have to put it like this search then
-
index equals to me okay so this thing I
-
will be returning says my macro has one
-
input so I will be giving one here okay
-
validation we are not doing anything now
-
so let's save it okay this is our third
-
macro so get general or main see if I
-
run this macro now okay so as I said it
-
has a generating comment that's why I am
-
giving a bar over here then my take and
-
then my input let's say I will be giving
-
input s get general I want to know I
-
want to work with the data set to get
-
channel okay so if let's see okay
-
bracket this missing over here save now
-
if you see if I run this macro again it
-
is giving me same because sometimes it's
-
not you don't take the refreshed value
-
so what I will do in this case just copy
-
this code close it Danny taking such
-
Factory unknown search comma
-
and case to see what's going on okay it
-
has to be evil waste macro because it is
-
running a string now right so let's say
-
wait and let it is not okay now if you
-
see if I run this gate general macro so
-
it is giving me this data set where it
-
is running that gate general Starr
-
generating command and giving me this
-
result if I say main in this case it is
-
giving me this data set where I have
-
index my data so this is how you can
-
create a evil waste macro okay so now
-
macro has a diff separate permissions as
-
well if you see from this macro macro
-
list page you can and you can set the
-
permissions as well so currently I will
-
show you I will set this permission as
-
this upon't Li and read I will say
-
everyone and right let's say admin let's
-
do it for all the macros permission so
-
you have to be very careful with the
-
macro permissions as well otherwise any
-
unprivileged user will not be able to
-
run this macro and your dashboard will
-
not show up anything so read/write okay
-
now we have set the permissions of the
-
macro as well now let's see what's going
-
on at the background so I am in my
-
Splunk home I will go to a TC apps tmdb
-
F and I will go to my local folder if
-
you see whenever you creates a macro
-
it's creates a another Khan file called
-
macro scones I will open this file and
-
if you see all different macros we have
-
created its gate separate separate
-
stanza for that macro name and with all
-
the input numbers right and args is the
-
inputs of this macros wait for bonus if
-
you see here for bonus my arguments are
-
VPN bonus like two arguments those are
-
showing up here this
-
the macro definition this is the error
-
message you set it for this macro this
-
is the validation you have set it for
-
this macro and this is evil is telling
-
you whether this macro is well based or
-
not as our last macro get general or
-
main is evil ways that Troy is evil is
-
one for rest of the - macros easy well
-
is zero okay now you can you can call a
-
macro another inside another macro so to
-
do that let's do this exercise where we
-
have created these totals energy right
-
and also bonus
-
so inside total Cirelli we will try to
-
call this bonus one who do that I will
-
do one thing I will clone this total
-
celery macro no I like this let's let's
-
get a new one only it's a total salary
-
total salary
-
yv2
-
version - okay so what I will do it will
-
not be well based macro let's say my
-
previous will be there he well right so
-
it has two arguments basic salary and
-
variable percent right now I'll be
-
adding this bonus as well so bonus
-
requires another extra input called
-
bonus right so I will be adding this as
-
a extra input comma this so my total
-
macro inputs will be three basic salary
-
and variable pay will be he'll be used
-
here and variable pay and bonus will be
-
used in another evil statement which we
-
have which will be a calling in this
-
bonus macro right so in this case I will
-
be calling this bonus macro inside so
-
I'll say this one pipe then my bonus
-
macro bonus macro takes two arguments
-
one is variable percent and another is
-
bonus so variable percent I'll pass and
-
I'll pass this bonus as well so ideally
-
the behavior should be same as we have
-
seen before right so
-
done tick okay so now let's save it okay
-
so total sir I do so before before I do
-
that so let us run our macro so I'll
-
just copy paste that code portion here
-
right so I'll just copy paste this code
-
portion here
-
it's a macro total salary nan okay I
-
think total I am my macro is total 7
-
this mismatch parenthesis okay okay so
-
it has created this one in this new new
-
field in the new search field what I
-
will do is on after this one
-
I will be calling my total salary
-
version 2 macro okay what it is doing
-
the work of both of these 2 bonus and
-
total salary right so total salary
-
version - okay so my tick version 2
-
version 2 requires three arguments one
-
is my basic salary variable percent and
-
the similar person value I will gives 8
-
so that we can at least compare what's
-
the outputs so if I run this one see if
-
it is it is working in the same way
-
where it is getting this bonus field and
-
total salary and if you see the output
-
is same as well
-
15:22 we have given seven here okay
-
let's let's run it with seven only see
-
if you see fifteen twenty two twenty two
-
twenty seventeen ten seventy like this
-
okay so this is how you can call a macro
-
inside another macro as well so if you
-
see here by by by by this structure you
-
can achieve a very complex structure as
-
well and complex structure which which
-
is basically a useable component in
-
Splunk search query okay so this is how
-
you need to know basically to deal with
-
macros and macros are very useful in
-
Splunk because not only it it it gives
-
you the modularity approach but also
-
it's it's is give you the very shorter
-
search string and very readable course
-
as well ok see you in next video
