Creating and Using Macros Flashcards
Define Macros
Search strings or portions of search strings that can be used in multiple places within Splunk.
When are Macros useful?
Macros are useful when you frequently run searches that require similar or complicated search syntax.
What is the goal macros?
The goal of macros should always be to make them as reusable as possible.
What fields are required for building macros?
Name
Definition
What characters can macro argument names contain?
- Alphanumeric
- “_”
- ”-“
What is the syntax for including arguments in macro definitions?
Enclose the argument name in dollar signs.
Ex. “$moolah$”
What is the definition field in a macro?
The definition field is the search string that will expand when referenced.
How do you use a macro in a search string?
To use a macro, pipe into a statement using the name of the macro in backtick characters.
Ex.
|convertUSD
What do backtick characters tell Splunk?
Backtick characters tell Splunk this is a macro and replace it with the search in the macro definition.
How are macros set apart from other knowledge objects?
Macros:
- Store entire search strings, including pipes and eval statements.
- Are time range independent, allowing time range to be selected at search time.
- Pass arguments to the search.
How can you expand a macro without running it?
Via the search expansion window (Command Shift E)
When can a pipe follow a macro?
A pipe can always follow a macro.
Using a basic macro, you can pipe to more commands or precede with a search string.
What is required for a macro to accept a given number of arguments?
Include the number of the arguments in parentheses after the macro name.
Ex.
monthly_sales(3)
How do you define an argument in a macro search definition?
Enclose the argument in dollar signs within the search definition.
Ex. (three arguments)
currency=$currency$
symbol=$symbol$
rate=$rate$
When is a time range selected for a macro?
At search time.
Macros have flexible time ranges.
