product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to simplify and display search sentences using the macro function
- release date
- 2015-05-07
- last updated
- 2024-01-11
- version
- Splunk Enterprise 9.0.3
- Overview
- Use macros to simplify commonly used search statements.
- Reference information
- content
-
A macro is a function that allows you to collectively save search strings, including commands. By adding the `macro name` to the search statement, the set search string is added to the search conditions.
If the frequently used search conditions are long, you can save the trouble of writing the search conditions by using macros.
Examples of macro usage and settings
Usage example: Exclude all events between 2023/4/1 00:00:00 and 2023/4/2 01:00:00 and between 2023/4/2 08:55:00 and 2023/4/2 09:00:00 from the search.
Setup steps
Configure settings on Splunk Web.
- On the upper right of the screen, click Settings > Knowledge Advanced Search > Search Macro, and click New.
- Select any destination app.
- Enter the macro name in the name field. The name set here will be used when searching.
* Characters that can be used are alphanumeric characters, underscores (_), and dashes (-). - Enter the following in the definition column:
NOT ((_time > 1427814000 _time < 1427817600) OR (_time > 1427932500 _time < 1427932800)) - Save your settings. Optionally, on the Search Macros screen, click Shared Permissions to add permissions for the created macro.
- Add `<macro name>` to the search statement and execute the search.
Search example: index=test ERROR `macro`
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
