Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- inputlookup from CSV inside macro -- why doesn't t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup file called us_customers.csv that contains a single field: customer.
I would like to filter the results of my query to the customers in the lookup CSV file.
This query works for me, I see exactly the hosts that belong to the customers:
[ | inputlookup us_customers.csv ] | stats count by host
So I made a macro:
[us_customers]
definition = search [ | inputlookup us_customers.csv ]
And now querying using it:
`us_customers` | stats count by host
I see only a partial result set.
Can anyone explain why this doesn't work?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will work if you do this:
| `us_customers` | stats count by host
And define it like this:
definition = inputlookup us_customers.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will work if you do this:
| `us_customers` | stats count by host
And define it like this:
definition = inputlookup us_customers.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I understand why it works using a pipe, but I'm wondering why it's no good as a base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The man who wrote macros is @sideview and he recently commented in slack more fully than he did in this answer:
https://answers.splunk.com/answers/75612/inputlookup-in-a-macro.html
Perhaps he will share some of that additional commentary here now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The word "search" is not needed / not valid in a base search. Try index=* where you have search.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
