Hi,

perhaps it is the wrong approach, but i try to use an inputlookup within a search and pass a value to this subsearch.
It looks like this:

    index=myindex sourcetype=stype source=sourcename
    |eval SourceHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_source_node_id$)
                       |fields name
                       |stats first(name) as SourceHost
                       |eval SourceHost="\"".SourceHost."\""
                       |return $SourceHost
                      ]
|eval DestinationHost =[|inputlookup transfer_nodes.csv 
                       |search nodeId IN ($last_dest_node_id$)
                       |fields name
                       |stats first(name) as DestinationHost
                       |eval DestinationHost="\"".DestinationHost."\""
                       |return $DestinationHost
                      ]
    |table name,SourceHost,DestinationHost

I get the following error: Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

The problem is the passing of the value $last_source_node_id$ ($last_dest_node_id$)

I already tried to map the subsearch, then the passing works, but the result is not what i expected.

Finally I would like to use a macro like GetTransferNode($last_nodeId$)

Hope you have an idea how to solve it.

best regards and thank you in advance !