Macros
Description
Search macros are reusable parts of SAF Language queries that can be used in other search queries.
Structure
Only letters, numbers, hyphens, and underscores can be used in the macro name.
Macros contain the following parameters:
| Field Name | Description | Required |
|---|---|---|
| Macros name | The name of the macro | Yes |
| Search query text | The text of the search query that will replace this macro. If arguments are used, they should be enclosed in dollar signs, e.g., $arg1$ | Yes |
| Arguments | A string with argument names separated by commas | No |
If the macro has arguments, the number of arguments should be indicated at the end of the name in parentheses. For example: my_macro(2)
Examples of Usage
Querying Data from the sysmon_operational Index for the Last Week
| Parameter | Value |
|---|---|
| Name | source_sysmon(1) |
| Search Query text | source sysmon_operational-* earliest="now-7d" latest="now" qsize=$qsize$ |
| Arguments | qsize |
To call a macro in a query, its name must be enclosed in backticks ` `. If the macro has arguments, they must be specified in parentheses, separated by commas. If you need to pass a comma in an argument, it must be escaped using a backslash.
Example query:
`source_sysmon(1000)`
| stats count by host.hostname
After processing, the query will be transformed into the following form:
source sysmon_operational-* earliest="now-7d" latest="now" qsize=1000
| stats count by host.hostname
Calling the stats Command with a Function and by Fields
| Parameter | Value |
|---|---|
| Name | stats_rename_macros(3) |
| Definition | stats $func$ by $field$ | rename '$func$' as $newfield$ |
| Arguments | func,field,newfield |
In this macro, the first parameter is the function of the stats command, the second parameter is the by fields, and the third parameter is the name of the new field.
By escaping the comma, you can pass multiple by fields to this macro.
Example query:
`source_sysmon(1000)`
| `stats_rename_macros(values(event.code), host.hostname \, winlog.task, vals)`
After processing, the query will be transformed into the following form:
source sysmon_operational-* earliest="now-7d" latest="now" qsize=1000
| stats values(event.code) by host.hostname , winlog.task | rename 'values(event.code)' as vals