Splunk Search

Macro Expansion - Possible Bug

etoombs
Path Finder

Hi all!  I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e.  I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software.

To test, find any macro in your environment.

Establish baseline:

Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC).  Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search.

`mymacro`

Test issue:

Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro 

|makeresults
|append [`mymacro`]

I appreciate the help from anyone willing to test. 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Same speed here.

What is your environment like?

---
If this reply helps you, Karma would be appreciated.
0 Karma

etoombs
Path Finder

Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I just checked on a Splunk Cloud SHC and saw to difference in expansion time so I suspect there's something happening in your environment.

Do you see any relevant messages in splunkd.log on the SH?

---
If this reply helps you, Karma would be appreciated.
0 Karma

bowesmana
SplunkTrust
SplunkTrust

No difference - same speed - what's your macro doing?

0 Karma

etoombs
Path Finder

It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...