Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Macro expansion via SPL/REST

paulcurry
Path Finder
‎08-21-2023 08:09 AM

I have a search that returns all of my correlation searches for a given app.  

| rest splunk_server=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain
| search app=my_app 
| table csearch_name, csearch_label, app, security_domain, qualifiedSearch, description

This works fine and gives the desired output.  However, I would like to add a line in there that would automatically expand any macros in the qualifiedSearch field.

e.g.

search `azuread` "body.operationName"="Add member to role"

but return: 
search sourcetype=mscs:azure:eventhub "body.operationName"="Add member to role"

 

Is there a lookup or macroExpand function that I could add to my SPL to do this?

Labels (2)
Labels
Tags (3)
0 Karma
Reply

dtburrows3
Builder
‎01-08-2024 04:58 PM

I also was looking for something that did this for a really long time and could never find anything. 
I know about the CMD+SHIFT+E to expand macros on the UI but needed the same functionality inline in a search to use for meta-analysis (breaking down SPL to its components and analyzing).

I feel like there is some way of doing this that exists somewhere but have not had much luck finding it. 
So went ahead and tried making a custom command to do it and it actually seems to work out pretty well.
I do want to note that this custom command is recursive in a sense that it expands the macros all the way down. Meaning that if there are nested macros that this will expand the nested ones as well all the way unil there are no more macros to expand. So end result should be a fully detailed SPL that is being executed. It will also replace the input args with the values it finds in the input field so it will also return that SPL that would run for that specific search with the given arguments.
You can see an example of the output here (this particular example is derived from a dashboard, so input arguments are still tokenized and will be represented as such in the "expanded_spl" field):

dtburrows3_0-1704761420227.png

If you are still interested in this than you can give this a try, I think it will require entries in a commands.conf, searchbnf.conf metadata/local.meta and a custom python script in bin/

There is also a dependency on Splunk Python SDK.

Send me a message and I can get it packed up in a custom app to share if you still are needing this functionality.

Reply

johnhadfield
Engager
‎06-17-2024 08:21 AM

@dtburrows3 Would you be able to share your code or a snippet of the relevant function calls? I am trying to create a similar expansion command but have not yet been able to locate the appropriate functions to use in the Splunk Python SDK.

0 Karma
Reply

dtburrows3
Builder
‎06-20-2024 02:31 PM

You can give this a try
https://github.com/dtburrows3/Splunk_Expand_Macros_Command

A work in progress but seems to cover majority of things I have thrown at it so far.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...