Solved: macro with localop?

vbumgarner · ‎05-03-2011

Is there any way to start a macro with a generator command? I get the error "The command must be the first command of a search."

hazekamp · ‎05-03-2011

Vincent,

You can have macros that make use of generating commands, but the error is likely correct in that certain search commands (i.e. metadata) must be the first command of a search.

## macros.conf
[metadata]
definition = metadata type=hosts index=*
iseval = 0

## search
| `metadata`

View solution in original post

hazekamp · ‎05-03-2011

Vincent,

You can have macros that make use of generating commands, but the error is likely correct in that certain search commands (i.e. metadata) must be the first command of a search.

## macros.conf
[metadata]
definition = metadata type=hosts index=*
iseval = 0

## search
| `metadata`

gkanapathy · ‎05-03-2011

It is lame. Can you do it if you make it into an iseval=1 definition returning a string?

vbumgarner · ‎05-03-2011

We figured that out, but it's kinda lame. It'd be nice to have the pipe in the definition.

macro with localop?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

macro with localop?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)