Knowledge Management

How can I expand a macro definition in the search field?

neiljpeterson
Communicator

Sometimes Splunk will just do this, like when you try to add an additional term from the Events tab, but what if I wanted to do it on demand?

Is there a way to tell Splunk to expand a macro to its fully exploded form?

This would make editing and debugging macros much more fluid. I would be surprised if something like this wasn't implemented, but I have scoured the docs and come up empty. Any tips?

micahkemp
Champion

There is now an answer for this. From that post:

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:

yahuja_splunk
Splunk Employee
Splunk Employee

Just an update it is control+shift+E in windows

0 Karma

vbumgarner
Contributor

Sure would be nice if this was discoverable!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There is a REST call that can do macro expansion:

$ curl -k https://localhost:8089/servicesNS/admin/search/search/intentionsparser -u admin -d "q=search index=_internal `sin(90)`" -d "action=addterm" -d "value="
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <dict>
    <key name="fullSearch">| search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="eventsSearch">search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="reportsSearch"></key>
    <key name="canSummarize">0</key>
  </dict>
</response>

The challenge would be to include that in the UI 🙂

0 Karma

gjanders
SplunkTrust
SplunkTrust

This appears to be an undocumented trick, it works outside Splunk (for example a curl call) but not via a | rest call in the search interface.

Do you happen to have a trick that works within the search interface? Thanks!

0 Karma

gjanders
SplunkTrust
SplunkTrust

FYI I had a minor use case where I wanted to expand macros non-interactively so that's why I cannot use the CTRL-SHIFT-E trick here...(even though I have Splunk 7 installed)
If there is an answer that's great, but it's not that important

0 Karma

immortalraghava
Path Finder

I had this situation where I needed to check what macro definition the search was using.
For that I used the "eventSearch" field from the Inspect Job page. I was able to see the fully expanded search.
But what you are looking for seems different. You need a command to expand the macro? Interesting ! Lets see if someone answers

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...