Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Macro Expansion - Possible Bug

etoombs
Path Finder
‎04-10-2024 02:36 PM

Hi all!  I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e.  I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software.

To test, find any macro in your environment.

Establish baseline:

Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC).  Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search.

`mymacro`

Test issue:

Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro 

|makeresults
|append [`mymacro`]

I appreciate the help from anyone willing to test. 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2024 05:22 AM

Same speed here.

What is your environment like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

etoombs
Path Finder
‎04-11-2024 06:25 AM

Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2024 06:46 AM

I just checked on a Splunk Cloud SHC and saw to difference in expansion time so I suspect there's something happening in your environment.

Do you see any relevant messages in splunkd.log on the SH?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-10-2024 05:19 PM

No difference - same speed - what's your macro doing?

0 Karma
Reply

etoombs
Path Finder
‎04-11-2024 06:28 AM

It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...