Splunk Search

Macro Expansion - Possible Bug

etoombs
Path Finder

Hi all!  I've got an issue with macro expansion taking an excessively long time when you use the keyboard shortcut - ctrl+shift+e.  I'm looking for someone to try the same thing on their own system and let me know if you're seeing this to. That will help me determine if this is a problem in my environment or a possible bug in the software.

To test, find any macro in your environment.

Establish baseline:

Enter just the macro name in the search box and press ctrl+shift+e (or command+shift+e, I think, on MAC).  Note the length of time it takes for the modal pop up to show you the expanded macro. It is not necessary to run the search.

`mymacro`

Test issue:

Using the same macro as above, create a simple search that has the macro inside of a sub-search. Try expanding the macro. Are you getting a slow response? For me, it's >20 seconds for it to expand the macro 

|makeresults
|append [`mymacro`]

I appreciate the help from anyone willing to test. 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Same speed here.

What is your environment like?

---
If this reply helps you, Karma would be appreciated.
0 Karma

etoombs
Path Finder

Hi! Thanks for checking. So... I did more digging on my side. On a non-clustered search head, I've got no delay. On my clustered-search heads, I do. I have two SH clusters and both are impacted. Splunk version is 9.1.1.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I just checked on a Splunk Cloud SHC and saw to difference in expansion time so I suspect there's something happening in your environment.

Do you see any relevant messages in splunkd.log on the SH?

---
If this reply helps you, Karma would be appreciated.
0 Karma

bowesmana
SplunkTrust
SplunkTrust

No difference - same speed - what's your macro doing?

0 Karma

etoombs
Path Finder

It doesn't seem to matter. The macro expansion can be as simple as a single word that it's replacing and the problem still happens.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...