Sometimes Splunk will just do this, like when you try to add an additional term from the Events tab, but what if I wanted to do it on demand?
Is there a way to tell Splunk to expand a macro to its fully exploded form?
This would make editing and debugging macros much more fluid. I would be surprised if something like this wasn't implemented, but I have scoured the docs and come up empty. Any tips?
There is now an answer for this. From that post:
New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:
Just an update it is control+shift+E in windows
Sure would be nice if this was discoverable!
There is a REST call that can do macro expansion:
$ curl -k https://localhost:8089/servicesNS/admin/search/search/intentionsparser -u admin -d "q=search index=_internal `sin(90)`" -d "action=addterm" -d "value="
<?xml version="1.0" encoding="UTF-8"?>
<response>
<dict>
<key name="fullSearch">| search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
<key name="eventsSearch">search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
<key name="reportsSearch"></key>
<key name="canSummarize">0</key>
</dict>
</response>
The challenge would be to include that in the UI 🙂
This appears to be an undocumented trick, it works outside Splunk (for example a curl call) but not via a | rest call in the search interface.
Do you happen to have a trick that works within the search interface? Thanks!
FYI I had a minor use case where I wanted to expand macros non-interactively so that's why I cannot use the CTRL-SHIFT-E trick here...(even though I have Splunk 7 installed)
If there is an answer that's great, but it's not that important
I had this situation where I needed to check what macro definition the search was using.
For that I used the "eventSearch" field from the Inspect Job page. I was able to see the fully expanded search.
But what you are looking for seems different. You need a command to expand the macro? Interesting ! Lets see if someone answers