Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot Call A Search Command from Search Macro

spraus
Explorer
‎02-08-2018 11:48 AM

Hello everyone;

I am trying to call a search command from a search macro. Does anyone have a suggestion.
Example:
Typical Search String: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
Search Macro: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" $filter$

When I run this it is as if 'ldapsearch' is not executed as the search returns way too quick as compared to the raw search.

Thank you in advance;
SPraus

Edit:
Exact "Actual" Macro:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="cn,sAMAccountName,mail,department,displayName,canonicalName,objectCategory,l,memberOf,pwdLastSet,sAMAccountType,title,givenName,sn,info,comment,userAccountControl,lastLogon" | rex field=memberOf "CN=(?<groups>.*?),OU=" | strcat "Info: " info "::" "Comment: " comment infoComments | makemv delim="::" infoComments | makemv delim=";" duoAliases | makemv delim="/" canonicalName | eval container = mvindex(canonicalName, 1) | search $filter$

And I have tested with just simply the start as I suggested above.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:06 PM

My apologies elliotproebstel... My macro does include the "| ldapsearch " as you suggest. I forgot to add it above and will edit it. Unfortunately even with the | it is still not returning any results. My exact macro will now be added to the edit.

Sorry about that;
Stephen

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:13 PM

I think he's saying your macro needs to look like:

[<macro name>]
search = ldapsearch ...

And you would do this in your search string:

| `<macro name>`
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:15 PM

You are completely correct Micah. Thank you!!!

Final answers:
Search Macro: " ldapsearch ....." (Note no |)
Use of search macro: " | {SearchMacroName} " (Note |)

Thank you all!!!

Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:00 PM

Specifically you just can't start a macro with a pipe.

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-08-2018 02:11 PM

Yes, thanks for correcting and clarifying!

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...