Macro search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Macro search
Save searches with macro fields, which are values you set at search time. You can create sophisticated saved searches with as many macro fields as you like. Use macro searches in Splunk Web or in Splunk's CLI. Macro searches work similarly to form searches, except there is no graphical user interface.
Configure a macro search
1. Create a saved search. Use $TERM$ to specify a macro field for substitution. You can specify any number of macro fields.
host=swan OR host=pearl $user$ $trans$ 2. Save the search and name it. The following example calls the search usertrans.
3. Call your saved search with the savedsearch command. Enter the values to substitute for the macro fields specified in the saved search usertrans. You can specify key value pairs from search or extracted fields, or any other value in your data.
| savedsearch usertrans user=KateAusten trans=queryNote: Use the "|" (pipe) operator before the savedsearch command. This example of macro search is equivalent to this search:
host=swan OR host=pearl user=KateAusten trans=queryThis documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.