Macro name and value conventions

Macro names can only be alphanumeric characters and underscores and are always down case to lower case letters. Macro values can only be 500 characters or less. (In any match expression, the total number of characters is 2000 characters, that generally permits multiple large macros to be implemented in a single correlation statement.)

Other conventions, although not necessarily strictly required, include the following:

The macro name contains a prefix that describes the particular type of macro. All default macros begin with a gen_ suffix to identify them as generic macros. Other prefixes might include proc_ for process macros, unix_ for UNIX macros, and win_ for Windows macros. This helps organize the data.
Opening and closing parenthesis usually brackets macro values. While this is not strictly required, it makes the evaluation of the macros and display of these macro values slightly more user friendly. When the macro value is enclosed in parenthesis, the macro value is interpreted as a stand-alone expression.
Macro names are typically terse, under 20 characters. This promotes the idea that a macro is best used as a general sensor. If the macro name is long, then it typically corresponds to a very specific pattern that might be difficult to reuse. Also, as a side-consideration, long macro names might warp and stretch the BMC Defender Server Macros screen in an undesirable way.

Note

Macros cannot be nested. If you need to match a message that contains a string that is identical to a macro, then you can create a macro for that string that serves to match some other portion of the target message. This is rarely necessary, because the double at @@ characters occur infrequently in messages.

Example

To match a text string such as macro @@test@@ is undefined, you need to define a macro such as @@macro_ref@@ with a value such as macro (*) undefined, and then use that macro in a system expression.

Macro name and value conventions

On this page