Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Can anyone help with inputlookup not working i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help with inputlookup not working inside a macro?
Here is the test_lookup.cvs I'm using:
| c1 | c2 | c3 | c4 | c5 |
| r1 | 1 | 2 | 3 | 4 |
| r2 | 5 | 6 | 7 | 8 |
| r3 | 9 | 10 | 11 | 12 |
| r4 | 13 | 14 | 15 | 16 |
This works:
| inputlookup test_lookup.csv
| eval input="r1,r2"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0")
| where input_rule=1
| format
| eval search="\"".search."\""
Returns:
"( ( c1="r1" AND c2="1" AND c3="2" AND c4="3" AND c5="4" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) OR ( c1="r2" AND c2="5" AND c3="6" AND c4="7" AND c5="8" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) )"
So I created test_macro(1)
inputlookup test_lookup.csv
| eval input="$rows$"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0")
| where input_rule=1
| format
| eval search="\"".search."\""
Run this:
| makeresults
| eval rows="r1,r3"
| eval score=
[|`test_macro(rows)`]
Using the macro the results are:
NOT ()
I have tried everything I can think of! Pulling my hair out at this point. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Untested, but try this in the macro:
| eval macroRow=$row$
| lookup test_lookup.csv local=true c1 as macroRow
| format
| eval search="\"".search."\""- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if I read these correctly you can't pass a token to a subsearch:
https://community.splunk.com/t5/Splunk-Search/Pass-value-to-subsearch-with-inputlookup/td-p/494990
https://community.splunk.com/t5/Splunk-Search/How-to-expand-macro-arguments-in-eval-subsearch/m-p/13...
Ok, So instead of a subsearch with inputlookup, I am trying to pass a token to |ookup. Not working either... LOL.
So macro set with iseval is now:
| lookup test_lookup.csv local=true c1 as $row$
| format
| eval search="\"".search."\""
Running:
| makeresults
| eval row="r3"
| eval string=`test_macro(row)`returns:
Error in 'SearchParser': The definition of macro 'test_macro(1)' is expected to be an eval expression that returns a string.
So what am I missing. I'm running version 7.3.7.1, is that why it doesn't work?
I've also read (below) and seems like this should work.
https://community.splunk.com/t5/Splunk-Search/Don-t-get-eval-based-macros/m-p/32007#M6652
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
