Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Use search macros in searches

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term, and do not need to be a complete command. You can also specify whether or not the macro field takes any arguments.

Insert search macros into search strings

To include a search macro in a search string, use the back tick character ( ` ). On most English-language keyboards, this character is located on the same key as the tilde (~). You can also reference a search macro within other search macros using this same syntax. If you have a search macro named mymacro it looks like this when referenced in a search:

sourcetype=access_* | `mymacro`

Macros inside of quoted values are not expanded. In the following example, the search macro bar is not expanded.


Preview your search macro

You can check the contents of your search macro with a keyboard shortcut, Command-Shift-E (Mac OSX) or Control-Shift-E (Linux or Windows) from the Search bar in the Search page. This opens a preview that displays the expanded search string, including all nested macros and saved searches. If syntax highlighting or line numbering are turned on, those features also appear in the preview.

You can copy parts of your search in the preview. You can also click Open in Search to run your search in a new window from the preview. See Preview your search.

Search macros that contain generating commands

Generating commands like search, metadata, inputlookup, pivot, and tstats always appear at the start of search strings with a leading pipe character. If the definition of your search macro starts with a generating command, the search macro should be inserted into the start of your search string, with a leading pipe character before it. Do not put a leading pipe character in the definition of search macros that begin with generating commands. Here is an example:

| `mygeneratingmacro`

See Define search macros in Settings.

When search macros take arguments

If your search macro takes arguments, you define those arguments when you insert the macro into the search string. For example, if the search macro argmacro(2) includes two arguments that are integers, you might insert the macro into your search string like this: `argmacro(120,300)`.

If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you would use: `mymacro("He said \"hello!\"")`.

Your search macro definition can include a validation expression that determines whether the arguments you have entered are valid, and a validation error message that you see when you provide invalid arguments.

Additional resources

For more information, see the following resources.

Configure field aliases with props.conf
Define search macros in Settings

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters