Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use search macros in searches

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term, and do not need to be a complete command. You can also specify whether or not the macro field takes any arguments.

Insert search macros into search strings

To include a search macro in a search string, use the back tick character ( ` ). On most English-language keyboards, this character is located on the same key as the tilde (~). You can also reference a search macro within other search macros using this same syntax. If you have a search macro named mymacro it looks like this when referenced in a search:

sourcetype=access_* | `mymacro`

Macros inside of quoted values are not expanded. In the following example, the search macro bar is not expanded.

"foo`bar`baz"

Search macros that contain generating commands

Generating commands like search, metadata, inputlookup, pivot, and tstats always appear at the start of search strings with a leading pipe character. If the definition of your search macro starts with a generating command, the search macro should be inserted into the start of your search string, with a leading pipe character before it. Do not put a leading pipe character in the definition of search macros that begin with generating commands. Here is an example:

| `mygeneratingmacro`

See Define search macros in Settings.

When search macros take arguments

If your search macro takes arguments, you define those arguments when you insert the macro into the search string. For example, if the search macro argmacro(2) includes two arguments that are integers, you might have insert the macro into your search string like this: `argmacro(120,300)`.

If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you would use: `mymacro("He said \"hello!\"")`.

Your search macro definition can include a validation expression that determines whether the arguments you have entered are valid, and a validation error message that you see when you provide invalid arguments.

Additional resources

For more information, see the following resources.

PREVIOUS
Configure field aliases with props.conf
  NEXT
Define search macros in Settings

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters