Macro searches
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Contents
Macro searches
Macro searches are a powerful new feature for saved searches. Save searches with macro fields, which are values you set at search time. You can create a sophisticated saved search with as many macro fields as you like.
Use macro searches in Splunk Web or in Splunk's CLI. Macro searches work similarly to form searches, except there is no graphical user interface component.
Configure a macro search
- Create a saved search. Use
$TERM$to specify a macro field for substitution. You can specify any number of macro fields.
host=swan OR host=pearl $user$ $trans$ 
- Save the search and name it. The following example calls the search usertrans.
- Call your saved search with the
savedsearchcommand. Enter the values to substitute for the macro fields specified in the saved search usertrans. You can specify key value pairs from search or extracted fields, or any other value in your data.
|savedsearch usertrans user=KateAusten trans=queryNote: Use the "I" (pipe) operator before the savedsearch command.
- The macro search above is equivalent to this search:
host=swan OR host=pearl user=KateAusten trans=query