Use macros with event types and tags

When using macros containing concatenated expressions in searches with event types and tags, enclose the macro definitions with parentheses.

Note: Ignore this section if you don't use macros in your searches.

To ensure that Splunk software correctly expands macros containing concatenated expressions in searches with event types and tags, enclose your macro definitions with parentheses.

See Use search macros in searches

Example 1: A search without a macro

Say you save the following search string as an event type called IDtest, which includes an implicit AND that concatenates two expressions:

index=_internal sourcetype=splunk_btool

Then, you tag your IDtest event type with the IDtag tag and run the following search in Splunk Web: 

index=_audit OR tag="IDtag"

Splunk expands the search string with the tag as follows:

litsearch(index=_audit OR (index=_internal sourcetype=splunk_btool))

This expanded search string will fetch events that have index=_audit, or events that have index=_internal and sourcetype=splunk_bool. As a result, all events in the _audit index will be included in the search results regardless of their source type.

Example 2: A search with a macro

Now, say instead of saving that long search string to your IDtest event type like you did in the first example, you define a macro called ID_macro that runs the same search: 

index=_internal sourcetype=splunk_btool

Then, you run the same search in Splunk Web as before: 

index=_audit OR tag="IDtag"

This time, the search string is the equivalent of the following search:

(index=_audit OR `ID_macro`)

Now, when Splunk software expands this search string, it looks like this: 

litsearch (index=_audit OR index=_internal sourcetype=splunk_btool)

As you can see, this expanded search string is missing the parentheses around the two expressions that follow the OR operator. As a result, this search string has a different meaning than the search string in the first example. This search will fetch all events in the _audit or _internal index that have sourcetype=splunk_bool; events in the _audit index will only be included in the search results if their source type is splunk_bool.

Because the parentheses are missing from the macro expansion, you don't get the search results you expect. To get the same behavior as the first example, just add parentheses in the macro definition, like this:

(index=_internal sourcetype=splunk_btool)

Then, the next time you run your search, the macro will expand with the parentheses and your event types and tags will work as intended.