Knowledge Management

How can I expand a macro definition in the search field?

Communicator

Sometimes Splunk will just do this, like when you try to add an additional term from the Events tab, but what if I wanted to do it on demand?

Is there a way to tell Splunk to expand a macro to its fully exploded form?

This would make editing and debugging macros much more fluid. I would be surprised if something like this wasn't implemented, but I have scoured the docs and come up empty. Any tips?

Champion

There is now an answer for this. From that post:

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:

Splunk Employee
Splunk Employee

Just an update it is control+shift+E in windows

0 Karma

Contributor

Sure would be nice if this was discoverable!

0 Karma

SplunkTrust
SplunkTrust

There is a REST call that can do macro expansion:

$ curl -k https://localhost:8089/servicesNS/admin/search/search/intentionsparser -u admin -d "q=search index=_internal `sin(90)`" -d "action=addterm" -d "value="
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <dict>
    <key name="fullSearch">| search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="eventsSearch">search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="reportsSearch"></key>
    <key name="canSummarize">0</key>
  </dict>
</response>

The challenge would be to include that in the UI 🙂

0 Karma

SplunkTrust
SplunkTrust

This appears to be an undocumented trick, it works outside Splunk (for example a curl call) but not via a | rest call in the search interface.

Do you happen to have a trick that works within the search interface? Thanks!

0 Karma

SplunkTrust
SplunkTrust

FYI I had a minor use case where I wanted to expand macros non-interactively so that's why I cannot use the CTRL-SHIFT-E trick here...(even though I have Splunk 7 installed)
If there is an answer that's great, but it's not that important

0 Karma

Path Finder

I had this situation where I needed to check what macro definition the search was using.
For that I used the "eventSearch" field from the Inspect Job page. I was able to see the fully expanded search.
But what you are looking for seems different. You need a command to expand the macro? Interesting ! Lets see if someone answers

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!