Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass Value to macro with inputlookup to return value

tdoSplunk
Path Finder
‎01-23-2020 02:10 AM

Hi,

perhaps it is the wrong approach, but i try to use an inputlookup within a search and pass a value to this subsearch.
It looks like this:

    index=myindex sourcetype=stype source=sourcename
    |eval SourceHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_source_node_id$)
                       |fields name
                       |stats first(name) as SourceHost
                       |eval SourceHost="\"".SourceHost."\""
                       |return $SourceHost
                      ]
|eval DestinationHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_dest_node_id$)
                       |fields name
                       |stats first(name) as DestinationHost
                       |eval DestinationHost="\"".DestinationHost."\""
                       |return $DestinationHost
                      ]
    |table name,SourceHost,DestinationHost

I get the following error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

The problem is the passing of the value $last_source_node_id$ ($last_dest_node_id$)

I already tried to map the subsearch, then the passing works, but the result is not what i expected.

Finally I would like to use a macro like GetTransferNode($last_nodeId$)

Hope you have an idea how to solve it.

best regards and thank you in advance !

Labels (2)
Labels
0 Karma
Reply

tdoSplunk
Path Finder
‎01-24-2020 12:15 AM

https://answers.splunk.com/answers/797495/pass-value-to-subsearch-with-inputlookup-1.html

I posted it twice, sorry

0 Karma
Reply

nickhills
Ultra Champion
‎01-23-2020 05:28 AM

I maybe missing something in the detail or your use case, but is there a reason you cant use a normal lookup rather than inputlookup?

Are you able to provide some sample data?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...