Use search macros in searches
Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches. Search macros can be any part of a search, such as an eval statement or search term and do not need to be a complete command. You can also specify whether the macro field takes any arguments.
Insert search macros into search strings
When you put a search macro in a search string, place a back tick character ( ` ) before and after the macro name. On most English-language keyboards, this character is located on the same key as the tilde (~). You can reference a search macro within other search macros using this same syntax. For example, if you have a search macro named mymacro
it looks like the following when referenced in a search:
sourcetype=access_* | `mymacro`
Macros inside of quoted values are not expanded. In the following example, the search macro users
is not expanded.
"audit`users`local"
Don't include macros with hyphens in your searches; the Search app doesn't support hyphens in macro names. For example, use `macro_name`
instead of `macro-name`
in your searches.
Preview search macros in search strings
Check the contents of your search macro from the Search bar in the Search page using the following keyboard shortcut:
- Command-Shift-E (Mac OSX)
- Control-Shift-E (Linux or Windows)
The shortcut opens a preview that displays the expanded search string, including all nested search macros and saved searches. If syntax highlighting or line numbering are enabled, those features also appear in the preview.
You can copy parts of the expanded search string. You can also click Open in Search to run the expanded search string in a new window. See Preview your search.
Search macros that contain generating commands
When you use a search macro in a search string, consider whether the macro expands to an SPL string that begins with a Generating command like from
, search
, metadata
, inputlookup
, pivot
, and tstats
. If it does, you need to put a pipe character before the search macro.
For example, if you know the search macro mygeneratingmacro
starts with the tstats
command, you would insert it into your search string as follows:
| `mygeneratingmacro`
See Define search macros in Settings.
When search macros take arguments
If your search macro takes arguments, define those arguments when you insert the macro into the search string. For example, if the search macro argmacro(2)
includes two arguments that are integers, you might have inserted the macro into your search string as follows: `argmacro(120,300)`
.
If your search macro argument includes quotes, escape the quotes when you call the macro in your search. For example, if you pass a quoted string as the argument for your macro, you use: `mymacro("He said \"hello!\"")`
.
Your search macro definition can include the following:
- A validation expression that determines whether the arguments you enter are valid.
- A validation error message that appears when you provide invalid arguments.
Additional resources
For more information, see the following resources.
- Define search macros in Settings
- Search macro examples
- Generating commands, in the Search Reference.
Configure field aliases with props.conf | Define search macros in Settings |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406, 8.2.2112, 8.2.2202, 9.0.2205, 8.2.2201, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release)
Feedback submitted, thanks!