Knowledge Management

Can anyone help with inputlookup not working inside a macro?

ddelmont
Explorer

Here is the test_lookup.cvs I'm using:

c1c2c3c4c5
r11234
r25678
r39101112
r413141516

 

This works:

 

| inputlookup test_lookup.csv
| eval input="r1,r2"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Returns:

"( ( c1="r1" AND c2="1" AND c3="2" AND c4="3" AND c5="4" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) OR ( c1="r2" AND c2="5" AND c3="6" AND c4="7" AND c5="8" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) )"

So I created test_macro(1)

 

inputlookup test_lookup.csv
| eval input="$rows$"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Run this:

 

| makeresults
| eval rows="r1,r3"
| eval score=
       [|`test_macro(rows)`]

 


Using the macro the results are:

NOT ()

I have tried everything I can think of!  Pulling my hair out at this point.  Thanks.

Labels (1)
Tags (2)
0 Karma

nickhills
Ultra Champion

Untested, but try this in the macro:

| eval macroRow=$row$
| lookup test_lookup.csv local=true c1 as macroRow
| format
| eval search="\"".search."\""
If my comment helps, please give it a thumbs up!
0 Karma

ddelmont
Explorer

So if I read these correctly you can't pass a token to a subsearch:
https://community.splunk.com/t5/Splunk-Search/Pass-value-to-subsearch-with-inputlookup/td-p/494990
https://community.splunk.com/t5/Splunk-Search/How-to-expand-macro-arguments-in-eval-subsearch/m-p/13... 

Ok, So instead of a subsearch with inputlookup, I am trying to pass a token to |ookup.  Not working either... LOL.

So macro set with iseval is now:

| lookup test_lookup.csv local=true c1 as $row$
| format
| eval search="\"".search."\""

Running:

| makeresults
| eval row="r3"
| eval string=`test_macro(row)`

returns:

Error in 'SearchParser': The definition of macro 'test_macro(1)' is expected to be an eval expression that returns a string.

So what am I missing.  I'm running version 7.3.7.1, is that why it doesn't work?

I've also read (below) and seems like this should work.

https://community.splunk.com/t5/Splunk-Search/When-I-use-eval-command-to-assign-search-to-variable-w... 

https://community.splunk.com/t5/Splunk-Search/Don-t-get-eval-based-macros/m-p/32007#M6652 

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...