Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can anyone help with inputlookup not working inside a macro?

ddelmont
Explorer
‎12-11-2020 11:49 AM

Here is the test_lookup.cvs I'm using:

c1c2c3c4c5
r11234
r25678
r39101112
r413141516

 

This works:

 

| inputlookup test_lookup.csv
| eval input="r1,r2"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Returns:

"( ( c1="r1" AND c2="1" AND c3="2" AND c4="3" AND c5="4" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) OR ( c1="r2" AND c2="5" AND c3="6" AND c4="7" AND c5="8" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) )"

So I created test_macro(1)

 

inputlookup test_lookup.csv
| eval input="$rows$"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Run this:

 

| makeresults
| eval rows="r1,r3"
| eval score=
       [|`test_macro(rows)`]

 


Using the macro the results are:

NOT ()

I have tried everything I can think of!  Pulling my hair out at this point.  Thanks.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

nickhills
Ultra Champion
‎12-12-2020 04:03 AM

Untested, but try this in the macro:

| eval macroRow=$row$
| lookup test_lookup.csv local=true c1 as macroRow
| format
| eval search="\"".search."\""
If my comment helps, please give it a thumbs up!
0 Karma
Reply

ddelmont
Explorer
‎12-11-2020 03:17 PM

So if I read these correctly you can't pass a token to a subsearch:
https://community.splunk.com/t5/Splunk-Search/Pass-value-to-subsearch-with-inputlookup/td-p/494990
https://community.splunk.com/t5/Splunk-Search/How-to-expand-macro-arguments-in-eval-subsearch/m-p/13... 

Ok, So instead of a subsearch with inputlookup, I am trying to pass a token to |ookup.  Not working either... LOL.

So macro set with iseval is now:

| lookup test_lookup.csv local=true c1 as $row$
| format
| eval search="\"".search."\""

Running:

| makeresults
| eval row="r3"
| eval string=`test_macro(row)`

returns:

Error in 'SearchParser': The definition of macro 'test_macro(1)' is expected to be an eval expression that returns a string.

So what am I missing.  I'm running version 7.3.7.1, is that why it doesn't work?

I've also read (below) and seems like this should work.

https://community.splunk.com/t5/Splunk-Search/When-I-use-eval-command-to-assign-search-to-variable-w... 

https://community.splunk.com/t5/Splunk-Search/Don-t-get-eval-based-macros/m-p/32007#M6652 

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...