The "vulns" macro basicaly searches the variable name hostname in the fields ip, dns or netbios. The reason for that is to be sure to catch the right data were ever it is defined.
args = hostname
sourcetype=whatever (ip="$name$" OR dns="$name$" OR netbios="$name$") | dedup host_id,qid
The vulns macro below is the more advanced version, as it takes some variables from a search form (see the $xxx$ definitions) and adds the tagging information from the mp_tag macro.
sourcetype=whatever| fillnull signature | fillnull os | `mp_tag` | search (ip="$name$" OR dns="$name$" OR netbios="$name$") patchable=$patchable$ os="$os$" signature="$signature$" internal="$internal$" severity_id > $sev$ owner=$owner$ action=$action$ | dedup host_id,qid