Use search macros in searches
Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term, and do not need to be a complete command. You can also specify whether or not the macro field takes any arguments.
Insert search macros into search strings
To include a search macro in a search string, use the back tick character ( ` ). On most English-language keyboards, this character is located on the same key as the tilde (~). You can also reference a search macro within other search macros using this same syntax. If you have a search macro named
mymacro it looks like this when referenced in a search:
sourcetype=access_* | `mymacro`
Macros inside of quoted values are not expanded. In the following example, the search macro
bar is not expanded.
Search macros that contain generating commands
Generating commands like
tstats always appear at the start of search strings with a leading pipe character. If the definition of your search macro starts with a generating command, the search macro should be inserted into the start of your search string, with a leading pipe character before it. Do not put a leading pipe character in the definition of search macros that begin with generating commands. Here is an example:
When search macros take arguments
If your search macro takes arguments, you define those arguments when you insert the macro into the search string. For example, if the search macro
argmacro(2) includes two arguments that are integers, you might have insert the macro into your search string like this:
If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you would use:
`mymacro("He said \"hello!\"")`.
Your search macro definition can include a validation expression that determines whether the arguments you have entered are valid, and a validation error message that you see when you provide invalid arguments.
For more information, see the following resources.
Configure field aliases with props.conf
Define search macros in Settings
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2