@RichG‘s suggestion is a good one
However, you may also want to look at making a lookup table so you can do something like this:
index=ndx sourcetype=srctp [| inputlookup myhosts.csv ] "MyClass" id IN(3,6)
If you "always" want to look for hosts out of a list (inclusively), using an manageable lookup table is likely going to be easier than having to remember to update a macro like myhosts
Macros definitely work – I use them quite frequently as search shortcuts myself (I use one on practically every search I run in one workspace that fills-in the index and sourcetype so I only have to type 8 characters instead of about 35), but I suspect a lookup table will be simpler to manage and run faster for you
from User warren – Stack Overflow https://stackoverflow.com/questions/75506347/run-predefined-search-sub-query-in-splunk/75592352#75592352
via IFTTT