inputlookup in macro

JensT · ‎08-05-2013

Hi,

I have this search:

| inputlookup mySearch | where foo=bar

Now I'd like to do this:

mySearch(bar)

with definition = | inputlookup mySearch | where foo=$bar$

But it does not work.

I get: Error in 'inputlookup' command: This command must be the first command of a search.

How can i use inputlookup in a macro?

Regards, Jens

martin_mueller · ‎08-05-2013

Here's what is happening: Splunk is turning this query

`mySearch(bar)`

into this:

search `mySearch(bar)`

which is then expanded into this:

search | inputlookup yada yada yada

To get around this you need to move the pipe out of the macro and into the search:

| `mySearch(bar)`

This will make sure Splunk does not add the implicit search command.

linu1988 · ‎08-05-2013

It happens because Splunk adds an search before MACRO, Savedsearch when it's called. So if you just mention the |inputlookup macro(bar) then it will work. Thanks. There may be some other solution but i can tell this much.

inputlookup in macro

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too! Learn More or Register Now >

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Learn More or Register Now >