Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Macro Expansion - Possible Bug

etoombs
Path Finder
‎04-10-2024 02:36 PM

Hi all!  I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e.  I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software.

To test, find any macro in your environment.

Establish baseline:

Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC).  Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search.

`mymacro`

Test issue:

Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro 

|makeresults
|append [`mymacro`]

I appreciate the help from anyone willing to test. 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2024 05:22 AM

Same speed here.

What is your environment like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

etoombs
Path Finder
‎04-11-2024 06:25 AM

Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2024 06:46 AM

I just checked on a Splunk Cloud SHC and saw to difference in expansion time so I suspect there's something happening in your environment.

Do you see any relevant messages in splunkd.log on the SH?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-10-2024 05:19 PM

No difference - same speed - what's your macro doing?

0 Karma
Reply

etoombs
Path Finder
‎04-11-2024 06:28 AM

It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...