Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Use search macros in searches

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term and do not need to be a complete command. You can also specify whether the macro field takes any arguments.

Insert search macros into search strings

When you put a search macro in a search string, place a back tick character ( ` ) before and after the macro name. On most English-language keyboards, this character is located on the same key as the tilde (~). You can reference a search macro within other search macros using this same syntax. For example, if you have a search macro named mymacro it looks like the following when referenced in a search:

sourcetype=access_* | `mymacro`

Macros inside of quoted values are not expanded. In the following example, the search macro bar is not expanded.


Search macros that contain generating commands

When you use a search macro in a search string, consider whether the macro expands to an SPL string that begins with a Generating command like from, search, metadata, inputlookup, pivot, and tstats. If it does, you need to put a pipe character before the search macro.

For example, if you know the search macro mygeneratingmacro starts with the tstats command, you would insert it into your search string as follows:

| `mygeneratingmacro`

See Define search macros in Settings.

When search macros take arguments

If your search macro takes arguments, define those arguments when you insert the macro into the search string. For example, if the search macro argmacro(2) includes two arguments that are integers, you might have inserted the macro into your search string as follows: `argmacro(120,300)`.

If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you use: `mymacro("He said \"hello!\"")`.

Your search macro definition can include the following:

  • A validation expression that determines whether the arguments you enter are valid.
  • A validation error message that appears when you provide invalid arguments.

Additional resources

For more information, see the following resources.

Last modified on 01 September, 2017
Configure field aliases with props.conf
Define search macros in Settings

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters