Splunk_Docker/files/splunk-etc/apps/search/default/macros.conf

#   Version 9.2.2.20240415
[audit_searchlocal]
definition = `audit_searchlocal("search_id!=rt_*")`

[audit_searchlocal(1)]
args = filter
definition = search index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search $filter$

[audit_rexsearch]
definition = rex "search='(?<search>.*?)', autojoin"

[truncate_search]
definition = eval search=if(length(search) > 150, substr(search, 0, 150) + "...", search)

[comment(1)]
args = text
definition = ""
iseval = 1

[set_local_host]
definition = rest splunk_server=local /services/server/info | return host

[histperc(3)]
args = perc, hist_rate, le
definition = sort $le$\
| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets\
| eval rank=exact($perc$)*total_hist_rate\
| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate\
| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\
| where $hist_rate$ >= rank\
| head 1\
| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\
| fields res\
| rename res as "histperc"
iseval = 0
validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$)
errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries.

[histperc(4)]
args = perc, hist_rate, le, groupby
definition = sort $groupby$, $le$\
| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets by $groupby$\
| eval rank=exact($perc$)*total_hist_rate\
| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate by $groupby$\
| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\
| where $hist_rate$ >= rank\
| dedup $groupby$\
| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\
| fields $groupby$, res\
| rename res as "histperc"
iseval = 0
validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$) and isstr($groupby$)
errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries. 4th arg "groupby" must be a string with one or more field names, and must be quoted if there are multiple fields.
Inital Commit 7 months ago			`# Version 9.2.2.20240415`
			`[audit_searchlocal]`
			definition = `audit_searchlocal("search_id!=rt_*")`

			`[audit_searchlocal(1)]`
			`args = filter`
			`definition = search index=_audit action=search (id=* OR search_id=) \| eval search_id = if(isnull(search_id), id, search_id) \| replace '' with * in search_id \| search $filter$`

			`[audit_rexsearch]`
			`definition = rex "search='(?<search>.*?)', autojoin"`

			`[truncate_search]`
			`definition = eval search=if(length(search) > 150, substr(search, 0, 150) + "...", search)`

			`[comment(1)]`
			`args = text`
			`definition = ""`
			`iseval = 1`

			`[set_local_host]`
			`definition = rest splunk_server=local /services/server/info \| return host`

			`[histperc(3)]`
			`args = perc, hist_rate, le`
			`definition = sort $le$\`
			`\| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets\`
			`\| eval rank=exact($perc$)*total_hist_rate\`
			`\| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate\`
			`\| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\`
			`\| where $hist_rate$ >= rank\`
			`\| head 1\`
			`\| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\`
			`\| fields res\`
			`\| rename res as "histperc"`
			`iseval = 0`
			`validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$)`
			`errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries.`

			`[histperc(4)]`
			`args = perc, hist_rate, le, groupby`
			`definition = sort $groupby$, $le$\`
			`\| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets by $groupby$\`
			`\| eval rank=exact($perc$)*total_hist_rate\`
			`\| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate by $groupby$\`
			`\| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\`
			`\| where $hist_rate$ >= rank\`
			`\| dedup $groupby$\`
			`\| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\`
			`\| fields $groupby$, res\`
			`\| rename res as "histperc"`
			`iseval = 0`
			`validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$) and isstr($groupby$)`
			`errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries. 4th arg "groupby" must be a string with one or more field names, and must be quoted if there are multiple fields.`