Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputlookup in macro

JensT
Communicator
‎08-05-2013 11:37 AM

Hi,

I have this search:


| inputlookup mySearch | where foo=bar

Now I'd like to do this:

mySearch(bar)


with definition = | inputlookup mySearch | where foo=$bar$

But it does not work.

I get: Error in 'inputlookup' command: This command must be the first command of a search.

How can i use inputlookup in a macro?

Regards, Jens

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-05-2013 11:56 PM

Here's what is happening: Splunk is turning this query

`mySearch(bar)`

into this:

search `mySearch(bar)`

which is then expanded into this:

search | inputlookup yada yada yada

To get around this you need to move the pipe out of the macro and into the search:

| `mySearch(bar)`

This will make sure Splunk does not add the implicit search command.

Reply

linu1988
Champion
‎08-05-2013 12:03 PM

It happens because Splunk adds an search before MACRO, Savedsearch when it's called. So if you just mention the |inputlookup macro(bar) then it will work. Thanks. There may be some other solution but i can tell this much.

0 Karma
Reply
Related Topics
inputlookup in a macro
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...