Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I expand a macro definition in the search field?

neiljpeterson
Communicator
‎11-07-2014 02:58 PM

Sometimes Splunk will just do this, like when you try to add an additional term from the Events tab, but what if I wanted to do it on demand?

Is there a way to tell Splunk to expand a macro to its fully exploded form?

This would make editing and debugging macros much more fluid. I would be surprised if something like this wasn't implemented, but I have scoured the docs and come up empty. Any tips?

Reply

micahkemp
Champion
‎02-01-2018 07:55 PM

There is now an answer for this. From that post:

New in 6.6, there is now a keystroke to expand macros in the search window! Click inside your search and press cmd-shift-E (on Mac, should be shift-WIN-E on Windows) and you'll see a window like this:
Reply

yahuja_splunk
Splunk Employee
Splunk Employee
‎03-22-2018 02:40 PM

Just an update it is control+shift+E in windows

0 Karma
Reply

vbumgarner
Contributor
‎10-22-2018 04:20 PM

Sure would be nice if this was discoverable!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-16-2017 05:46 AM

There is a REST call that can do macro expansion:

$ curl -k https://localhost:8089/servicesNS/admin/search/search/intentionsparser -u admin -d "q=search index=_internal `sin(90)`" -d "action=addterm" -d "value="
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <dict>
    <key name="fullSearch">| search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="eventsSearch">search index=_internal (90 - pow(90, 3)/6 + pow(90, 5)/120 - pow(90, 7)/5040 + pow(90, 9)/362880 - pow(90, 11)/39916800 + pow(90, 13)/6227020800)</key>
    <key name="reportsSearch"></key>
    <key name="canSummarize">0</key>
  </dict>
</response>

The challenge would be to include that in the UI 🙂

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎02-01-2018 05:21 PM

This appears to be an undocumented trick, it works outside Splunk (for example a curl call) but not via a | rest call in the search interface.

Do you happen to have a trick that works within the search interface? Thanks!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎02-01-2018 08:02 PM

FYI I had a minor use case where I wanted to expand macros non-interactively so that's why I cannot use the CTRL-SHIFT-E trick here...(even though I have Splunk 7 installed)
If there is an answer that's great, but it's not that important

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

immortalraghava
Path Finder
‎04-01-2015 11:16 PM

I had this situation where I needed to check what macro definition the search was using.
For that I used the "eventSearch" field from the Inspect Job page. I was able to see the fully expanded search.
But what you are looking for seems different. You need a command to expand the macro? Interesting ! Lets see if someone answers

Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...