Solved: Re: inputlookup from CSV inside macro -- why doesn...

dorrfg · ‎09-05-2017

I have a lookup file called us_customers.csv that contains a single field: customer.
I would like to filter the results of my query to the customers in the lookup CSV file.

This query works for me, I see exactly the hosts that belong to the customers:

[ | inputlookup us_customers.csv ] | stats count by host

So I made a macro:

[us_customers]
definition = search [ | inputlookup us_customers.csv ]

And now querying using it:

`us_customers` | stats count by host

I see only a partial result set.

Can anyone explain why this doesn't work?
Thanks.

woodcock · ‎09-05-2017

It will work if you do this:

| `us_customers` | stats count by host

And define it like this:

 definition = inputlookup us_customers.csv

View solution in original post

woodcock · ‎09-05-2017

It will work if you do this:

| `us_customers` | stats count by host

And define it like this:

 definition = inputlookup us_customers.csv

dorrfg · ‎09-05-2017

Thanks. I understand why it works using a pipe, but I'm wondering why it's no good as a base search.

woodcock · ‎09-10-2017

The man who wrote macros is @sideview and he recently commented in slack more fully than he did in this answer:
https://answers.splunk.com/answers/75612/inputlookup-in-a-macro.html

Perhaps he will share some of that additional commentary here now.

DalJeanis · ‎09-05-2017

The word "search" is not needed / not valid in a base search. Try index=* where you have search.

inputlookup from CSV inside macro -- why doesn't this work as a base search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!