Knowledge Management

How can I expand a macro definition in the search field?

neiljpeterson
Communicator

Sometimes Splunk will just do this, like when you try to add an additional term from the Events tab, but what if I wanted to do it on demand?

Is there a way to tell Splunk to expand a macro to its fully exploded form?

This would make editing and debugging macros much more fluid. I would be surprised if something like this wasn't implemented, but I have scoured the docs and come up empty. Any tips?

micahkemp
Champion

There is now an answer for this. From that post:

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:

yahuja_splunk
Splunk Employee
Splunk Employee

Just an update it is control+shift+E in windows

0 Karma

vbumgarner
Contributor

Sure would be nice if this was discoverable!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There is a REST call that can do macro expansion:

$ curl -k https://localhost:8089/servicesNS/admin/search/search/intentionsparser -u admin -d "q=search index=_internal `sin(90)`" -d "action=addterm" -d "value="
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <dict>
    <key name="fullSearch">| search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="eventsSearch">search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="reportsSearch"></key>
    <key name="canSummarize">0</key>
  </dict>
</response>

The challenge would be to include that in the UI 🙂

0 Karma

gjanders
SplunkTrust
SplunkTrust

This appears to be an undocumented trick, it works outside Splunk (for example a curl call) but not via a | rest call in the search interface.

Do you happen to have a trick that works within the search interface? Thanks!

0 Karma

gjanders
SplunkTrust
SplunkTrust

FYI I had a minor use case where I wanted to expand macros non-interactively so that's why I cannot use the CTRL-SHIFT-E trick here...(even though I have Splunk 7 installed)
If there is an answer that's great, but it's not that important

0 Karma

immortalraghava
Path Finder

I had this situation where I needed to check what macro definition the search was using.
For that I used the "eventSearch" field from the Inspect Job page. I was able to see the fully expanded search.
But what you are looking for seems different. You need a command to expand the macro? Interesting ! Lets see if someone answers

Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...