Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputlookup from CSV inside macro -- why doesn't this work as a base search?

dorrfg
Engager
‎09-05-2017 04:01 AM

I have a lookup file called us_customers.csv that contains a single field: customer.
I would like to filter the results of my query to the customers in the lookup CSV file.

This query works for me, I see exactly the hosts that belong to the customers:

[ | inputlookup us_customers.csv ] | stats count by host

So I made a macro:

[us_customers]
definition = search [ | inputlookup us_customers.csv ]

And now querying using it:

`us_customers` | stats count by host

I see only a partial result set.

Can anyone explain why this doesn't work?
Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-05-2017 05:59 AM

It will work if you do this:

| `us_customers` | stats count by host

And define it like this:

 definition = inputlookup us_customers.csv

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-05-2017 05:59 AM

It will work if you do this:

| `us_customers` | stats count by host

And define it like this:

 definition = inputlookup us_customers.csv
Reply
Solved! Jump to solution

dorrfg
Engager
‎09-05-2017 12:07 PM

Thanks. I understand why it works using a pipe, but I'm wondering why it's no good as a base search.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-10-2017 01:47 AM

The man who wrote macros is @sideview and he recently commented in slack more fully than he did in this answer:
https://answers.splunk.com/answers/75612/inputlookup-in-a-macro.html

Perhaps he will share some of that additional commentary here now.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-05-2017 03:57 PM

The word "search" is not needed / not valid in a base search. Try index=* where you have search.

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...