https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115185#M30471 <P>Using | stats count is often useful to do a quick test</P> <PRE><CODE>| stats count | some search where you do not need event data </CODE></PRE> <P>I wanted to use that mechanism/pattern in a macro that does modifications to a lookup. The macro is called/used by a workflow action</P> <PRE><CODE>[test] definition = | stats count | do stuff with a lookup iseval = 0 </CODE></PRE> <P>Calling the macro triggers a remote search and takes much longer than doing the same directly in the search field in the default search view. <BR /> Is there a way around this? Is this the wrong aproach? <BR /> I could embed the search directly in the work flow action but I would like to pass on the name of the lookup that should get modified.</P> <HR /> <P>Update 09.09.2014</P> <P>Thanks for you suggestions MuS &amp; martin_mueller, they did not work for me at least not the way i tried them:</P> <P>If I add <CODE>splunk_server=local</CODE> to the beginning of the macro a remote search is still triggered:<BR /> <IMG src="http://answers.splunk.com//storage/remoteSearch_1.png" alt="alt text" /></P> <P>If I try with inputlookup as the first command of the macro I get an error:<BR /> <IMG src="http://answers.splunk.com//storage/inputlookup.png" alt="alt text" /></P> <P>If I just enter a <CODE>| stats count</CODE> in the search field the job inspector shows the following:<BR /> <IMG src="http://answers.splunk.com//storage/stats_count.png" alt="alt text" /></P> Mon, 08 Sep 2014 12:29:41 GMT chris 2014-09-08T12:29:41Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115185#M30471 <P>Using | stats count is often useful to do a quick test</P> <PRE><CODE>| stats count | some search where you do not need event data </CODE></PRE> <P>I wanted to use that mechanism/pattern in a macro that does modifications to a lookup. The macro is called/used by a workflow action</P> <PRE><CODE>[test] definition = | stats count | do stuff with a lookup iseval = 0 </CODE></PRE> <P>Calling the macro triggers a remote search and takes much longer than doing the same directly in the search field in the default search view. <BR /> Is there a way around this? Is this the wrong aproach? <BR /> I could embed the search directly in the work flow action but I would like to pass on the name of the lookup that should get modified.</P> <HR /> <P>Update 09.09.2014</P> <P>Thanks for you suggestions MuS &amp; martin_mueller, they did not work for me at least not the way i tried them:</P> <P>If I add <CODE>splunk_server=local</CODE> to the beginning of the macro a remote search is still triggered:<BR /> <IMG src="http://answers.splunk.com//storage/remoteSearch_1.png" alt="alt text" /></P> <P>If I try with inputlookup as the first command of the macro I get an error:<BR /> <IMG src="http://answers.splunk.com//storage/inputlookup.png" alt="alt text" /></P> <P>If I just enter a <CODE>| stats count</CODE> in the search field the job inspector shows the following:<BR /> <IMG src="http://answers.splunk.com//storage/stats_count.png" alt="alt text" /></P> Mon, 08 Sep 2014 12:29:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115185#M30471 chris 2014-09-08T12:29:41Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115186#M30472 <P>How about :</P> <PRE><CODE>splunk_server=local | stats count | foo boo </CODE></PRE> Mon, 08 Sep 2014 12:34:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115186#M30472 MuS 2014-09-08T12:34:37Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115187#M30473 <P>Depending on what stuff you want to do with a lookup you may use <CODE>inputlookup</CODE> instead.</P> Mon, 08 Sep 2014 13:17:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115187#M30473 martin_mueller 2014-09-08T13:17:18Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115188#M30474 <P>can you try either </P> <PRE><CODE>| inputlookup append=t </CODE></PRE> <P>or</P> <PRE><CODE>| lookup local=true </CODE></PRE> Tue, 09 Sep 2014 13:03:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115188#M30474 MuS 2014-09-09T13:03:31Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115189#M30475 <P>Thanks for the suggestion, the problem remains the same though. I am fine running this manually from search form but as soon as the command is packed into a macro a search is triggered. I think macros should either do a proper search or not be the first part of a search ... -&gt; If I take the first pipe out of the macro I'm fine: | <CODE>macro</CODE> -&gt; and the macro contains "inputlookup append=t somename" or "stats count"</P> Wed, 10 Sep 2014 14:11:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115189#M30475 chris 2014-09-10T14:11:15Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115190#M30476 <P>Ah. Yeah, that's normal.</P> <PRE><CODE>| `some macro` </CODE></PRE> <P>With the macro not containing the pipe at the beginning.</P> Wed, 10 Sep 2014 15:02:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115190#M30476 martin_mueller 2014-09-10T15:02:01Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115191#M30477 <P>Do you know why?</P> Thu, 11 Sep 2014 19:42:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115191#M30477 chris 2014-09-11T19:42:50Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115192#M30478 <P>Technically not "why", but I can explain further. Say you have two macros like this:</P> <PRE><CODE>[pipe] definition = | stats count iseval = 0 [nopipe] definition = stats count iseval = 0 </CODE></PRE> <P>When you run this search</P> <PRE><CODE>| `nopipe` </CODE></PRE> <P>and look at the search inspector you see these:</P> <PRE><CODE>search: | `nopipe` normalizedSearch: prestats count remoteSearch: prestats count </CODE></PRE> <P>In other words, Splunk tells its search peers "do nothing, and tell me how many events you found" - yielding a zero very quickly. The explicit pipe at the beginning suppresses the implicit <CODE>search</CODE>.</P> Thu, 11 Sep 2014 20:06:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115192#M30478 martin_mueller 2014-09-11T20:06:51Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115193#M30479 <P>Now to compare, you run this:</P> <PRE><CODE>`pipe` </CODE></PRE> <P>expecting the search to do the same after macro replacement. However, that's not the case when looking at the search inspector:</P> <PRE><CODE>search: search `pipe` normalizedSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count remoteSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count </CODE></PRE> <P>Here, Splunk's telling its search peers "Run a search with no filters and count"... EEEEEEP!</P> Thu, 11 Sep 2014 20:08:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115193#M30479 martin_mueller 2014-09-11T20:08:50Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115194#M30480 <P>Without the explicit pipe at the beginning the implicit <CODE>search</CODE> command gets added <STRONG>before macro replacement</STRONG>, effectively making the search <CODE>* | stats count</CODE>. Hence you're counting ALL the events, taking a long time.</P> <P>That's what's happening, but don't ask me why...</P> <P><IMG src="http://answers.splunk.com//storage/all-the-things-meme-generator-inventory-count-all-the-things-cb7ac6.jpg" alt="alt text" /></P> Thu, 11 Sep 2014 20:09:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115194#M30480 martin_mueller 2014-09-11T20:09:41Z https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115195#M30481 <P><CODE>| localop | stats count</CODE> -&gt; remoteSearch = None</P> Sun, 11 Oct 2015 19:29:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-prevent-stats-count-in-a-macro-from-triggering-a-remote/m-p/115195#M30481 mikebd 2015-10-11T19:29:33Z