Using macros to reuse logic

A macro serves the purpose of replacing bits of search language with expanded phrases (additionally, macros have other uses, such as assisting in workflow creation).

Using macros can help you reuse logic and greatly reduce the length of queries.

Let's use the following as our example case:

sourcetype="impl_splunk_gen_SomeMoreLogs" user=mary
| transaction maxpause=5m user
| stats avg(duration) avg(eventcount)

Creating a simple macro

Let's take the last two lines of our query and convert them to a macro. First, navigate to Settings | Advanced search | Advanced search | Search macros and click on New.

Walking through our fields, ...

Get Implementing Splunk - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Implementing Splunk - Second Edition by Vincent Bumgarner, James D Miller

Using macros to reuse logic

Creating a simple macro

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly