Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Macro Expansion - Possible Bug

etoombs
Path Finder
‎04-10-2024 02:36 PM

Hi all!  I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e.  I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software.

To test, find any macro in your environment.

Establish baseline:

Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC).  Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search.

`mymacro`

Test issue:

Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro 

|makeresults
|append [`mymacro`]

I appreciate the help from anyone willing to test. 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2024 05:22 AM

Same speed here.

What is your environment like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

etoombs
Path Finder
‎04-11-2024 06:25 AM

Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2024 06:46 AM

I just checked on a Splunk Cloud SHC and saw to difference in expansion time so I suspect there's something happening in your environment.

Do you see any relevant messages in splunkd.log on the SH?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-10-2024 05:19 PM

No difference - same speed - what's your macro doing?

0 Karma
Reply

etoombs
Path Finder
‎04-11-2024 06:28 AM

It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...