SPLUNK’s Advance Topic
2 min read
Macros
Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term, and do not need to be a complete command. You can also specify whether the macro field takes any arguments.
• eval based
• non-eval based
A macro is called by writing it’s name between ticks (`sample_macro`).
Base Search
Base Search concept is an advanced concept in Splunk which generally developers uses to optimize Splunk searches. It is similar to that of macro conceptually but the only limitation is the base query can only be used in the same dashboard.
Let’s assume a part of query needs to be reused multiple times in the same dashboard followed by stats/time-chart command which will be replaced for each panel. In such case, you can use base search concept.
Advantage:
• Optimizes Splunk load as the base query is called only once and used multiple times.
Hide/Un-Hide
Hide/Un-Hide concept is another advanced topic in Splunk.
It is used to neatly present your dashboard and showcase only the panels those are relevant and hide the others.
It can also be used to hide the panels when there is no result in the output and show/unhide only when it has some data.
Drill Downs
Drilldown is a special feature in Splunk which helps to navigate to further detailed dashboards or specific queries which clicked on a particular panel.
Assume the dashboard has 4 panels showing different KPI’s on a high level and we observed an issue in one of the KPI. Clicking on that panel can take you to a new dashboard or a new search query which will give you more insight of the problem.
Drilldown can help you redirect to a new panel or search when clicked on it.
