Databases Reference
In-Depth Information
This macro is using a few interesting features, as follows:
• Macros can take arguments. The number of arguments is specified in the
name of the macro by appending
([argument count])
to the name of the
macro. In this case, we are expecting five arguments.
• The definition of a macro can actually be an
eval
statement. This means we
can use
eval
functions to build our query based on some value handed to the
macro. In this case, we are using
strptime
. Things to note about this feature
are as follows:
° The
eval
statement is expected to return a string. If your statement
fails, for some reason, to return a string, the user will see an error.
° The variable names specified are replaced before the
eval
statement
is executed. This means that there may be issues with escaping the
values in the variables, so some care is required to make sure whether
your value contains quotes or not as is expected.
•
Use eval-based definition?
is checked to indicate that this macro is expected
to be parsed as an
eval
statement.
• In the
Arguments
field, we specify names for the arguments handed in.
These are the names we refer to in the
Deinition
field.
After clicking on
Save
, we have a working macro. You might make adjustments
to this workflow action to better suit your needs. Let's change the definition to
sort events by ascending time, and prevent searching across indexes. Change the
workflow action definition
Search string
to:
'context("$@field_name$", "$@field_value$", "$_time$", "-1m", "+5m")'
index=$index$ | reverse
Let's expand this just for clarity, like this:
'context("$@field_name$", "$@field_value$", "$_time$", "-1m", "+5m")'
index=$index$ | reverse
'context("ip", "1.22.3.3", "2012-05-16T20:23:59-0500", "-1m", "+5m")'
index=implsplunk | reverse
earliest=-1m latest=+5m now=1337217839 ip=1.22.3.3
index=implsplunk | reverse
You can create multiple workflow actions that specify different time frames,
or include other fields, for instance
host
.
Search WWH ::
Custom Search