Splunk® Enterprise

Knowledge Manager Manual

Use search macros in searches

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term and do not need to be a complete command. You can also specify whether the macro field takes any arguments.

Insert search macros into search strings

When you put a search macro in a search string, place a back tick character ( ` ) before and after the macro name. On most English-language keyboards, this character is located on the same key as the tilde (~). You can reference a search macro within other search macros using this same syntax. For example, if you have a search macro named mymacro it looks like the following when referenced in a search:

sourcetype=access_* | `mymacro`

Macros inside of quoted values are not expanded. In the following example, the search macro users is not expanded.

"audit`users`local"


Don't include macros with hyphens in your searches; the Search app doesn't support hyphens in macro names. For example, use `macro_name` instead of `macro-name` in your searches.

Preview search macros in search strings

Check the contents of your search macro from the Search bar in the Search page using the following keyboard shortcut:

  • Command-Shift-E (Mac OSX)
  • Control-Shift-E (Linux or Windows)

The shortcut opens a preview that displays the expanded search string, including all nested search macros and saved searches. If syntax highlighting or line numbering are enabled, those features also appear in the preview.

You can copy parts of the expanded search string. You can also click Open in Search to run the expanded search string in a new window. See Preview your search.

Search macros that contain generating commands

When you use a search macro in a search string, consider whether the macro expands to an SPL string that begins with a Generating command like from, search, metadata, inputlookup, pivot, and tstats. If it does, you need to put a pipe character before the search macro.

For example, if you know the search macro mygeneratingmacro starts with the tstats command, you would insert it into your search string as follows:

| `mygeneratingmacro`

See Define search macros in Settings.

When search macros take arguments

If your search macro takes arguments, define those arguments when you insert the macro into the search string. For example, if the search macro argmacro(2) includes two arguments that are integers, you might have inserted the macro into your search string as follows: `argmacro(120,300)`.

If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you use: `mymacro("He said \"hello!\"")`.

Your search macro definition can include the following:

  • A validation expression that determines whether the arguments you enter are valid.
  • A validation error message that appears when you provide invalid arguments.

Additional resources

For more information, see the following resources.

Last modified on 22 April, 2024
Configure field aliases with props.conf   Define search macros in Settings

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters