Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to find out the location of a given macro in a search head clustering environment?

Thuan
Explorer
‎01-07-2016 03:07 PM

I am new to a search head clustering environment. I found macros being used and I am trying to find out where these macros were created. I read the link http://docs.splunk.com/Documentation/ES/3.3.0/Install/Macros which has a lot of useful information on ES defined macros. Is there a way to quickly find out the location of a given macro, e.g., 

| `host_eventcount(30,72)`

using grep at the CLI, or search? This helps me to understand what canned searches do.

Thank you.

0 Karma
Reply

Thuan
Explorer
‎01-08-2016 09:12 AM

I will try the btool option as this is the answer I am looking for. It provides a unique way to look for macros. The other GUI option is too clumsy as you need to know what apps the macro was created for.

Thank you.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-07-2016 04:42 PM

One way to look up information about a given macro, is to use btool:

./splunk btool macros list host_eventcount --debug

Have you tried just looking for it in Settings > Advanced Search > Macros and looking across all owners / apps ?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top