Macros and Tokens: Getting the Best Use of Them


While at a client recently, I had the task of creating a dashboard with the ability to look at Linux and Windows data's highest points and averages. The Windows and Linux data needed to be viewed separately, but still have the ability to view the data in total. To accomplish this, I created a base search using six macros: two to encompass both operating systems with each calculation mode, and two per operating system for each calculation mode.My first step was to create the macros. This is done by Settings > Advanced Search > Search Macros. Once at this page, click “New”. You will be redirected here:


My naming convention for this was the “OSsystem_calculationmode_macro” (This is important when we create the tokens within the dashboard’s xml). When adding a new macro, the “definition” is the search that corresponds with the OS system and calculation mode in the name. For example, if the all_average_macro is selected, the resulting search includes the linux and windows indexes. 


My six macros were:

1.     windows_highwater_macro

2.     windows_average_macro

3.     linux_highwater_macro

4.     linux_average_macro

5.     all_highwater_macro

6.     all_average_macro


Once you’ve assigned the macro to an app and added a name and definition, you can click “Save” in the bottom right.


Now we have to create the tokens and the xml.

I decided to use radio inputs to select the OS system and the calculation mode. An example of how to create a radio input in your xml is below:

<input type="radio" token="ostype" searchWhenChanged="true">
<label>Select an Operating System:</label>
<choice value="windows">Windows</choice>
<choice value="linux">Linux</choice>
<choice value="all">All</choice>

<input type="radio" token="calcmode" searchWhenChanged="true">
<label>Select a Calculation Mode:</label>
<choice value="average">Average</choice>
<choice value="highwater">Highwater</choice>


My tokens selected are $ostype$ and $calcmode$. These will be used in my baseSearch xml for the dashboard. My search in the xml will look like this:

`$ostype$_$calcmode$_macro` | rest of search

<search id=”baseSearch”>
<query>`$os_type$_$calcmode$_macro` | rest of search</query>


By having the tokens correspond to each radio input, the resulting macro could be any of the six we created. For example, selecting “windows” and “highwater” in the radio input, the “windows_highwater_macro” will be incorporated into your base search. 


For more information on using macros in Splunk, check out:

For more information on tokens, visit:

Subscribe to Our Newsletter

Stay In Touch