Reporting

What is macro replacement in a saved search?

Super Champion

The docs reference the option of passing macro values into a saved search. How does that work exactly? I understand how macros work, and it makes sense that you could disable macro expansion (nosubstitution=true), but what I don't get is passing key/values to your saved search...

I'm specifically referring to the savedsearch-replacement-opt setting. Can anyone help explain what this does? An example would be great.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

If you define a saved search defined literally as:

sourcetype=mysourcetype fieldx="$afield$" item$bfield$=* | where xxx=yyy

You can call it using:

| savedsearch afield=whatever bfield=Size

and it will be called as if:

sourcetype=mysourcetype term1 fieldx="whatever" itemSize=* | where xxx=yyy 

You could use a regular macros.conf macro instead.

View solution in original post

Splunk Employee
Splunk Employee
0 Karma

Super Champion

Thanks. Looks like this just talks about "macros", which I was already familiar with. I just didn't know such a think was possible to do with saved searches. Pretty cool feature. I could see this being useful for a form search where you want to leverage a savedsearch, for example (similarly to how things were done back in the 3.x days)

0 Karma

Splunk Employee
Splunk Employee

If you define a saved search defined literally as:

sourcetype=mysourcetype fieldx="$afield$" item$bfield$=* | where xxx=yyy

You can call it using:

| savedsearch afield=whatever bfield=Size

and it will be called as if:

sourcetype=mysourcetype term1 fieldx="whatever" itemSize=* | where xxx=yyy 

You could use a regular macros.conf macro instead.

View solution in original post

Splunk Employee
Splunk Employee

actually if you schedule it will run but just literally without replacement of the $var$ variables.

0 Karma

Super Champion

So I'm guessing such savedsearches cannot (or should not) be scheduled? (Since there is no way for splunk to gaze into the future and/or predict what macro values will be used for expansion.) Is that a correct assumption?

0 Karma