Use search macros in searches
Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term, and do not need to be a complete command. You can also specify whether or not the macro field takes any arguments.
Insert search macros into search strings
To include a search macro in a search string, use the back tick character ( ` ). On most English-language keyboards, this character is located on the same key as the tilde (~). You can also reference a search macro within other search macros using this same syntax. If you have a search macro named
mymacro it looks like this when referenced in a search:
sourcetype=access_* | `mymacro`
Macros inside of quoted values are not expanded. In the following example, the search macro
bar is not expanded.
Preview your search macro
You can check the contents of your search macro with a keyboard shortcut, Command-Shift-E (Mac OSX) or Control-Shift-E (Linux or Windows) from the Search bar in the Search page. This opens a preview that displays the expanded search string, including all nested macros and saved searches. If syntax highlighting or line numbering are turned on, those features also appear in the preview.
You can copy parts of your search in the preview. You can also click Open in Search to run your search in a new window from the preview. See Preview your search.
Search macros that contain generating commands
Generating commands like
tstats always appear at the start of search strings with a leading pipe character. If the definition of your search macro starts with a generating command, the search macro should be inserted into the start of your search string, with a leading pipe character before it. Do not put a leading pipe character in the definition of search macros that begin with generating commands. Here is an example:
When search macros take arguments
If your search macro takes arguments, you define those arguments when you insert the macro into the search string. For example, if the search macro
argmacro(2) includes two arguments that are integers, you might insert the macro into your search string like this:
If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you would use:
`mymacro("He said \"hello!\"")`.
Your search macro definition can include a validation expression that determines whether the arguments you have entered are valid, and a validation error message that you see when you provide invalid arguments.
For more information, see the following resources.
Configure field aliases with props.conf
Define search macros in Settings
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2