topic Re: Cannot Call A Search Command from Search Macro in Splunk Search

Cannot Call A Search Command from Search Macro

spraus — Thu, 08 Feb 2018 19:48:09 GMT

Hello everyone;

I am trying to call a search command from a search macro. Does anyone have a suggestion.
Example:
Typical Search String: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
Search Macro: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" $filter$

When I run this it is as if 'ldapsearch' is not executed as the search returns way too quick as compared to the raw search.

Thank you in advance;
SPraus

Edit:
Exact "Actual" Macro:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="cn,sAMAccountName,mail,department,displayName,canonicalName,objectCategory,l,memberOf,pwdLastSet,sAMAccountType,title,givenName,sn,info,comment,userAccountControl,lastLogon" | rex field=memberOf "CN=(?<groups>.*?),OU=" | strcat "Info: " info "::" "Comment: " comment infoComments | makemv delim="::" infoComments | makemv delim=";" duoAliases | makemv delim="/" canonicalName | eval container = mvindex(canonicalName, 1) | search $filter$

And I have tested with just simply the start as I suggested above.

Re: Cannot Call A Search Command from Search Macro

elliotproebstel — Thu, 08 Feb 2018 19:56:06 GMT

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...

Re: Cannot Call A Search Command from Search Macro

micahkemp — Thu, 08 Feb 2018 20:00:16 GMT

Specifically you just can't start a macro with a pipe.

Re: Cannot Call A Search Command from Search Macro

spraus — Thu, 08 Feb 2018 20:06:46 GMT

My apologies elliotproebstel... My macro does include the "| ldapsearch " as you suggest. I forgot to add it above and will edit it. Unfortunately even with the | it is still not returning any results. My exact macro will now be added to the edit.

Sorry about that;
Stephen

Re: Cannot Call A Search Command from Search Macro

micahkemp — Thu, 08 Feb 2018 20:13:03 GMT

I think he's saying your macro needs to look like:

[<macro name>]
search = ldapsearch ...

And you would do this in your search string:

| `<macro name>`

Re: Cannot Call A Search Command from Search Macro

spraus — Thu, 08 Feb 2018 20:15:59 GMT

You are completely correct Micah. Thank you!!!

Final answers:
Search Macro: " ldapsearch ....." (Note no |)
Use of search macro: " | {SearchMacroName} " (Note |)

Thank you all!!!

Re: Cannot Call A Search Command from Search Macro

elliotproebstel — Thu, 08 Feb 2018 22:11:19 GMT

Yes, thanks for correcting and clarifying!