Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputlookup in macro

JensT
Communicator
‎08-05-2013 11:37 AM

Hi,

I have this search:


| inputlookup mySearch | where foo=bar

Now I'd like to do this:

mySearch(bar)


with definition = | inputlookup mySearch | where foo=$bar$

But it does not work.

I get: Error in 'inputlookup' command: This command must be the first command of a search.

How can i use inputlookup in a macro?

Regards, Jens

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-05-2013 11:56 PM

Here's what is happening: Splunk is turning this query

`mySearch(bar)`

into this:

search `mySearch(bar)`

which is then expanded into this:

search | inputlookup yada yada yada

To get around this you need to move the pipe out of the macro and into the search:

| `mySearch(bar)`

This will make sure Splunk does not add the implicit search command.

Reply

linu1988
Champion
‎08-05-2013 12:03 PM

It happens because Splunk adds an search before MACRO, Savedsearch when it's called. So if you just mention the |inputlookup macro(bar) then it will work. Thanks. There may be some other solution but i can tell this much.

0 Karma
Reply
Related Topics
inputlookup in a macro
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...