Splunk Search

Macro expansion via SPL/REST

paulcurry
Path Finder

I have a search that returns all of my correlation searches for a given app.  

| rest splunk_server=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain
| search app=my_app 
| table csearch_name, csearch_label, app, security_domain, qualifiedSearch, description

 

This works fine and gives the desired output.  However, I would like to add a line in there that would automatically expand any macros in the qualifiedSearch field.

e.g.

search `azuread` "body.operationName"="Add member to role"

but return: 
search sourcetype=mscs:azure:eventhub "body.operationName"="Add member to role"

 

Is there a lookup or macroExpand function that I could add to my SPL to do this?

Labels (2)
Tags (3)
0 Karma

dtburrows3
Builder

I also was looking for something that did this for a really long time and could never find anything. 
I know about the CMD+SHIFT+E to expand macros on the UI but needed the same functionality inline in a search to use for meta-analysis (breaking down SPL to its components and analyzing).

I feel like there is some way of doing this that exists somewhere but have not had much luck finding it. 
So went ahead and tried making a custom command to do it and it actually seems to work out pretty well.
I do want to note that this custom command is recursive in a sense that it expands the macros all the way down. Meaning that if there are nested macros that this will expand the nested ones as well all the way unil there are no more macros to expand. So end result should be a fully detailed SPL that is being executed. It will also replace the input args with the values it finds in the input field so it will also return that SPL that would run for that specific search with the given arguments.
You can see an example of the output here (this particular example is derived from a dashboard, so input arguments are still tokenized and will be represented as such in the "expanded_spl" field):

dtburrows3_0-1704761420227.png

If you are still interested in this than you can give this a try, I think it will require entries in a commands.conf, searchbnf.conf metadata/local.meta and a custom python script in bin/

There is also a dependency on Splunk Python SDK.

Send me a message and I can get it packed up in a custom app to share if you still are needing this functionality.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...