Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can anyone help with inputlookup not working inside a macro?

ddelmont
Explorer
‎12-11-2020 11:49 AM

Here is the test_lookup.cvs I'm using:

c1c2c3c4c5
r11234
r25678
r39101112
r413141516

 

This works:

 

| inputlookup test_lookup.csv
| eval input="r1,r2"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Returns:

"( ( c1="r1" AND c2="1" AND c3="2" AND c4="3" AND c5="4" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) OR ( c1="r2" AND c2="5" AND c3="6" AND c4="7" AND c5="8" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) )"

So I created test_macro(1)

 

inputlookup test_lookup.csv
| eval input="$rows$"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Run this:

 

| makeresults
| eval rows="r1,r3"
| eval score=
       [|`test_macro(rows)`]

 


Using the macro the results are:

NOT ()

I have tried everything I can think of!  Pulling my hair out at this point.  Thanks.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

nickhills
Ultra Champion
‎12-12-2020 04:03 AM

Untested, but try this in the macro:

| eval macroRow=$row$
| lookup test_lookup.csv local=true c1 as macroRow
| format
| eval search="\"".search."\""
If my comment helps, please give it a thumbs up!
0 Karma
Reply

ddelmont
Explorer
‎12-11-2020 03:17 PM

So if I read these correctly you can't pass a token to a subsearch:
https://community.splunk.com/t5/Splunk-Search/Pass-value-to-subsearch-with-inputlookup/td-p/494990
https://community.splunk.com/t5/Splunk-Search/How-to-expand-macro-arguments-in-eval-subsearch/m-p/13... 

Ok, So instead of a subsearch with inputlookup, I am trying to pass a token to |ookup.  Not working either... LOL.

So macro set with iseval is now:

| lookup test_lookup.csv local=true c1 as $row$
| format
| eval search="\"".search."\""

Running:

| makeresults
| eval row="r3"
| eval string=`test_macro(row)`

returns:

Error in 'SearchParser': The definition of macro 'test_macro(1)' is expected to be an eval expression that returns a string.

So what am I missing.  I'm running version 7.3.7.1, is that why it doesn't work?

I've also read (below) and seems like this should work.

https://community.splunk.com/t5/Splunk-Search/When-I-use-eval-command-to-assign-search-to-variable-w... 

https://community.splunk.com/t5/Splunk-Search/Don-t-get-eval-based-macros/m-p/32007#M6652 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...