Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot Call A Search Command from Search Macro

spraus
Explorer
‎02-08-2018 11:48 AM

Hello everyone;

I am trying to call a search command from a search macro. Does anyone have a suggestion.
Example:
Typical Search String: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
Search Macro: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" $filter$

When I run this it is as if 'ldapsearch' is not executed as the search returns way too quick as compared to the raw search.

Thank you in advance;
SPraus

Edit:
Exact "Actual" Macro:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="cn,sAMAccountName,mail,department,displayName,canonicalName,objectCategory,l,memberOf,pwdLastSet,sAMAccountType,title,givenName,sn,info,comment,userAccountControl,lastLogon" | rex field=memberOf "CN=(?<groups>.*?),OU=" | strcat "Info: " info "::" "Comment: " comment infoComments | makemv delim="::" infoComments | makemv delim=";" duoAliases | makemv delim="/" canonicalName | eval container = mvindex(canonicalName, 1) | search $filter$

And I have tested with just simply the start as I suggested above.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:06 PM

My apologies elliotproebstel... My macro does include the "| ldapsearch " as you suggest. I forgot to add it above and will edit it. Unfortunately even with the | it is still not returning any results. My exact macro will now be added to the edit.

Sorry about that;
Stephen

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:13 PM

I think he's saying your macro needs to look like:

[<macro name>]
search = ldapsearch ...

And you would do this in your search string:

| `<macro name>`
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:15 PM

You are completely correct Micah. Thank you!!!

Final answers:
Search Macro: " ldapsearch ....." (Note no |)
Use of search macro: " | {SearchMacroName} " (Note |)

Thank you all!!!

Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:00 PM

Specifically you just can't start a macro with a pipe.

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-08-2018 02:11 PM

Yes, thanks for correcting and clarifying!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...