A Splunk macro can be thought of as a (hopefully, previously tested and otherwise validated) reusable assembly of Splunk (or business) logic—basically, any part or even all of a Splunk search that you don't want to type in again. Saved macros can even be defined to receive arguments when reused. Splunk macros are an integral part of knowledge management.

To understand how macros might be defined, saved, and reused, let's take a look at the previous example using the previously defined eval statement. In the following search, we defined a new field to be evaluated and searched on, named event_date:

sourcetype=TM1* error | EVAL event_date =  date_month  + "/" + date_mday + "/" + date_year | where event_date = "october/24/2007"

The event_date ...