Knowledge Management

How can I expand a macro definition in the search field?


Sometimes Splunk will just do this, like when you try to add an additional term from the Events tab, but what if I wanted to do it on demand?

Is there a way to tell Splunk to expand a macro to its fully exploded form?

This would make editing and debugging macros much more fluid. I would be surprised if something like this wasn't implemented, but I have scoured the docs and come up empty. Any tips?


There is now an answer for this. From that post:

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:

Splunk Employee
Splunk Employee

Just an update it is control+shift+E in windows

0 Karma


Sure would be nice if this was discoverable!

0 Karma


There is a REST call that can do macro expansion:

$ curl -k https://localhost:8089/servicesNS/admin/search/search/intentionsparser -u admin -d "q=search index=_internal `sin(90)`" -d "action=addterm" -d "value="
<?xml version="1.0" encoding="UTF-8"?>
    <key name="fullSearch">| search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="eventsSearch">search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="reportsSearch"></key>
    <key name="canSummarize">0</key>

The challenge would be to include that in the UI 🙂

0 Karma


This appears to be an undocumented trick, it works outside Splunk (for example a curl call) but not via a | rest call in the search interface.

Do you happen to have a trick that works within the search interface? Thanks!

0 Karma


FYI I had a minor use case where I wanted to expand macros non-interactively so that's why I cannot use the CTRL-SHIFT-E trick here...(even though I have Splunk 7 installed)
If there is an answer that's great, but it's not that important

0 Karma

Path Finder

I had this situation where I needed to check what macro definition the search was using.
For that I used the "eventSearch" field from the Inspect Job page. I was able to see the fully expanded search.
But what you are looking for seems different. You need a command to expand the macro? Interesting ! Lets see if someone answers

Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...