Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
TOP
Products/Services
Specifications/Technical Information
solution
User stories
support
Seminar content
Evaluation machine application/FAQ
Document request
inquiry
Event/Seminar
video on demand

How to simplify and display search sentences using the macro function

release date
2015-05-07
last updated
2024-01-11
version
Splunk Enterprise 9.0.3
Overview
Use macros to simplify commonly used search statements.
Reference information
content

A macro is a function that allows you to collectively save search strings, including commands. By adding the `macro name` to the search statement, the set search string is added to the search conditions.

If the frequently used search conditions are long, you can save the trouble of writing the search conditions by using macros.

Examples of macro usage and settings

Usage example: Exclude all events between 2023/4/1 00:00:00 and 2023/4/2 01:00:00 and between 2023/4/2 08:55:00 and 2023/4/2 09:00:00 from the search.

Setup steps

Configure settings on Splunk Web.

  • On the upper right of the screen, click Settings > Knowledge Advanced Search > Search Macro, and click New.
  • Select any destination app.
  • Enter the macro name in the name field. The name set here will be used when searching.
    * Characters that can be used are alphanumeric characters, underscores (_), and dashes (-).
  • Enter the following in the definition column:
    NOT ((_time > 1427814000 _time < 1427817600) OR (_time > 1427932500 _time < 1427932800))
  • Save your settings. Optionally, on the Search Macros screen, click Shared Permissions to add permissions for the created macro.
  • Add `<macro name>` to the search statement and execute the search.
    Search example: index=test ERROR `macro`

that's all

to previous page