Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to expand macros in a Splunk search?

pavanae
Builder
‎11-03-2016 10:32 AM

I have a search as follows:

index="x" search_name="`Y`" (status=Z) | `A` |`B`

where A and B are macros

Now how can I see the complete search by expanding all the Y, A, and B?

Also, if the macros (A and B) contain some internal macros and also some internal tags, how can I expand them all and see the complete search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎11-03-2016 11:00 AM

For versions Splunk 6.0 - 6.5, you need to open the job inspector for that search either in the Search app or via the job inspector / activity inspector. The job inspector will reveal how it interprets and expands the macros in order to execute the search.

Starting with Splunk 6.6, follow @hrottenberg_splunk instructions for the new macro expansion feature.

View solution in original post

Reply
Solved! Jump to solution

hrottenberg_spl
Splunk Employee
Splunk Employee
‎06-23-2017 08:16 AM

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac) and ctrl-shift-E on Windows, and you'll see a window like this:

alt text

(Edit: corrected Windows hotkey, thanks for the comment below!)

Reply
Solved! Jump to solution

yahuja_splunk
Splunk Employee
Splunk Employee
‎03-22-2018 02:18 PM

Just an update. It is control + shift + E on windows.

Happy Splunking!

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-03-2016 11:33 AM

Navigate to Settings > Advanced Search > Search macros
There you can look for the definition of your macros.

https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Definesearchmacros

Reply
Solved! Jump to solution

anewell
Path Finder
‎01-31-2019 12:21 PM

I downvoted this post because i'm really tired of karma-farming responses that are simply "rtfm" links. it degrades the value of all 'answers' activity if the only help anyone ever gets is a link back to documentation that seeker has already read. we've read the docs, and we're here for further clarification or perspective.

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎02-25-2019 03:01 AM

I downvoted this post because vise versa is true as well. many times users may not know the documentation page link.
on my answer, i have clearly replied the correct process and then for more clarity i have given the docs link. i don't see anything wrong with my answer.

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎11-03-2016 11:00 AM

For versions Splunk 6.0 - 6.5, you need to open the job inspector for that search either in the Search app or via the job inspector / activity inspector. The job inspector will reveal how it interprets and expands the macros in order to execute the search.

Starting with Splunk 6.6, follow @hrottenberg_splunk instructions for the new macro expansion feature.

Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎06-23-2017 09:02 AM

I downvoted this post because while it was very true, it's not true anymore though. see @hrottenberg comment below.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...