Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Splunk macro in search string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk macro in search string
I created a Macro with name auth(1), app is ES, argument is src and the definition is
| from datamodel:"Authentication"."Authentication" | search (src="$src$" OR Authentication.src="$src$" OR dest="$src$" OR Authentication.dest="$src$") | eval username=user_first+" "+user_last | eval phone=if(isnull(user_phone), user_phone2, user_phone) | rename user_managedBy as userid, user_email as email, WorkstationName as workstation | fields username, email, userid, phone, workstation
And I am trying to call this Macro in a ES search as
sourcetype=*someexamplesourcetype* auth(src) and this didn't work
I also tried like
sourcetype=*someexamplesourcetype* auth("10.20.30.40") and this didn't work too
sourcetype=*someexamplesourcetype* auth(1) and this didn't work too
When I try like
sourcetype=*someexamplesourcetype* auth I am getting error message as
Error in 'SearchParser': The search specifies a macro 'auth' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.
Note There are backticks in front of auth and auth(src) as you know this will be converted to code format I removed backticks in this question.
I assigned the Macro access to global with read & write for everyone, still the error message appears.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You forgot to embed the macro into the ` ` characters.
Like this:
`auth(src)`
PS: Yes, I know this is a really delayed answer and the problem most likely has already been solved. Just a help for users having with a similar issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @karthikmalla,
I think you need to make it Global and read permission is needed for the macro. I can see one issue with the defination of your macro, you need to remove first "I" from the macro defination.
from datamodel:"Authentication"."Authentication" | search (src="$src$" OR Authentication.src="$src$" OR dest="$src$" OR Authentication.dest="$src$") | eval username=user_first+" "+user_last | eval phone=if(isnull(user_phone), user_phone2, user_phone) | rename user_managedBy as userid, user_email as email, WorkstationName as workstation | fields username, email, userid, phone, workstation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still not working. How should I call the macro in search? Is that like?
sourcetype=* auth("10.20.30.40") and back ticks in the beginning & ending of auth("10.20.30.40"). ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
