Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputlookup in macro

JensT
Communicator
‎08-05-2013 11:37 AM

Hi,

I have this search:


| inputlookup mySearch | where foo=bar

Now I'd like to do this:

mySearch(bar)


with definition = | inputlookup mySearch | where foo=$bar$

But it does not work.

I get: Error in 'inputlookup' command: This command must be the first command of a search.

How can i use inputlookup in a macro?

Regards, Jens

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-05-2013 11:56 PM

Here's what is happening: Splunk is turning this query

`mySearch(bar)`

into this:

search `mySearch(bar)`

which is then expanded into this:

search | inputlookup yada yada yada

To get around this you need to move the pipe out of the macro and into the search:

| `mySearch(bar)`

This will make sure Splunk does not add the implicit search command.

Reply

linu1988
Champion
‎08-05-2013 12:03 PM

It happens because Splunk adds an search before MACRO, Savedsearch when it's called. So if you just mention the |inputlookup macro(bar) then it will work. Thanks. There may be some other solution but i can tell this much.

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top