Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cannot Call A Search Command from Search Macro

spraus
Explorer
‎02-08-2018 11:48 AM

Hello everyone;

I am trying to call a search command from a search macro. Does anyone have a suggestion.
Example:
Typical Search String: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
Search Macro: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" $filter$

When I run this it is as if 'ldapsearch' is not executed as the search returns way too quick as compared to the raw search.

Thank you in advance;
SPraus

Edit:
Exact "Actual" Macro:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="cn,sAMAccountName,mail,department,displayName,canonicalName,objectCategory,l,memberOf,pwdLastSet,sAMAccountType,title,givenName,sn,info,comment,userAccountControl,lastLogon" | rex field=memberOf "CN=(?<groups>.*?),OU=" | strcat "Info: " info "::" "Comment: " comment infoComments | makemv delim="::" infoComments | makemv delim=";" duoAliases | makemv delim="/" canonicalName | eval container = mvindex(canonicalName, 1) | search $filter$

And I have tested with just simply the start as I suggested above.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:06 PM

My apologies elliotproebstel... My macro does include the "| ldapsearch " as you suggest. I forgot to add it above and will edit it. Unfortunately even with the | it is still not returning any results. My exact macro will now be added to the edit.

Sorry about that;
Stephen

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:13 PM

I think he's saying your macro needs to look like:

[<macro name>]
search = ldapsearch ...

And you would do this in your search string:

| `<macro name>`
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:15 PM

You are completely correct Micah. Thank you!!!

Final answers:
Search Macro: " ldapsearch ....." (Note no |)
Use of search macro: " | {SearchMacroName} " (Note |)

Thank you all!!!

Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:00 PM

Specifically you just can't start a macro with a pipe.

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-08-2018 02:11 PM

Yes, thanks for correcting and clarifying!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...