topic Re: Macro expansion via SPL/REST in Splunk Search

Macro expansion via SPL/REST

paulcurry — Thu, 20 Jun 2024 23:12:29 GMT

I have a search that returns all of my correlation searches for a given app.

| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | search app=my_app | table csearch_name, csearch_label, app, security_domain, qualifiedSearch, description

This works fine and gives the desired output. However, I would like to add a line in there that would automatically expand any macros in the qualifiedSearch field.

e.g.

search `azuread` "body.operationName"="Add member to role"

but return:
search sourcetype=mscs:azure:eventhub "body.operationName"="Add member to role"

Is there a lookup or macroExpand function that I could add to my SPL to do this?

Re: Macro expansion via SPL/REST

dtburrows3 — Tue, 09 Jan 2024 01:23:47 GMT

I also was looking for something that did this for a really long time and could never find anything.
I know about the CMD+SHIFT+E to expand macros on the UI but needed the same functionality inline in a search to use for meta-analysis (breaking down SPL to its components and analyzing).

I feel like there is some way of doing this that exists somewhere but have not had much luck finding it.
So went ahead and tried making a custom command to do it and it actually seems to work out pretty well.
I do want to note that this custom command is recursive in a sense that it expands the macros all the way down. Meaning that if there are nested macros that this will expand the nested ones as well all the way unil there are no more macros to expand. So end result should be a fully detailed SPL that is being executed. It will also replace the input args with the values it finds in the input field so it will also return that SPL that would run for that specific search with the given arguments.
You can see an example of the output here (this particular example is derived from a dashboard, so input arguments are still tokenized and will be represented as such in the "expanded_spl" field):

If you are still interested in this than you can give this a try, I think it will require entries in a commands.conf, searchbnf.conf metadata/local.meta and a custom python script in bin/

There is also a dependency on Splunk Python SDK.

Send me a message and I can get it packed up in a custom app to share if you still are needing this functionality.

Re: Macro expansion via SPL/REST

johnhadfield — Mon, 17 Jun 2024 15:21:20 GMT

@dtburrows3 Would you be able to share your code or a snippet of the relevant function calls? I am trying to create a similar expansion command but have not yet been able to locate the appropriate functions to use in the Splunk Python SDK.

Re: Macro expansion via SPL/REST

dtburrows3 — Thu, 20 Jun 2024 21:31:01 GMT

You can give this a try
https://github.com/dtburrows3/Splunk_Expand_Macros_Command

A work in progress but seems to cover majority of things I have thrown at it so far.