Administrator
/
Splunk_Docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Splunk_Docker/files/splunk-etc/apps/search/default/macros.conf

54 lines
2.8 KiB
Raw Permalink Blame History

# Version 9.2.2.20240415
[audit_searchlocal]
definition = `audit_searchlocal("search_id!=rt_*")`
[audit_searchlocal(1)]
args = filter
definition = search index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search $filter$
[audit_rexsearch]
definition = rex "search='(?<search>.*?)', autojoin"
[truncate_search]
definition = eval search=if(length(search) > 150, substr(search, 0, 150) + "...", search)
[comment(1)]
args = text
definition = ""
iseval = 1
[set_local_host]
definition = rest splunk_server=local /services/server/info | return host
[histperc(3)]
args = perc, hist_rate, le
definition = sort $le$\
| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets\
| eval rank=exact($perc$)*total_hist_rate\
| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate\
| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\
| where $hist_rate$ >= rank\
| head 1\
| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\
| fields res\
| rename res as "histperc"
iseval = 0
validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$)
errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries.
[histperc(4)]
args = perc, hist_rate, le, groupby
definition = sort $groupby$, $le$\
| eventstats max($hist_rate$) as total_hist_rate, last($le$) as uppermost_bound, count as num_buckets by $groupby$\
| eval rank=exact($perc$)*total_hist_rate\
| streamstats current=f last($le$) as gr, last($hist_rate$) as last_hist_rate by $groupby$\
| eval gr=if(isnull(gr), 0, gr), last_hist_rate=if(isnull(last_hist_rate), 0, last_hist_rate)\
| where $hist_rate$ >= rank\
| dedup $groupby$\
| eval res=case(lower(uppermost_bound) != "+inf" or num_buckets < 2, "NaN", lower($le$) == "+inf", gr, gr == 0 and $le$ <= 0, $le$, true(), exact(gr + ($le$-gr)*(rank - last_hist_rate) / ($hist_rate$ - last_hist_rate)))\
| fields $groupby$, res\
| rename res as "histperc"
iseval = 0
validation = isnum($perc$) and $perc$ >= 0 and $perc$ <= 1 and isstr($hist_rate$) and isstr($le$) and isstr($groupby$)
errormsg = 1st arg "perc" must be a number between 0 and 1 (inclusive), 2nd arg "hist_rate" should be string representing a field name, and 3rd arg "le" must be the field name with the histogram buckets' upper boundaries. 4th arg "groupby" must be a string with one or more field names, and must be quoted if there are multiple fields.
Reference in new issue View Git Blame Copy Permalink

Powered by BW's shoe-string budget.