Solved: How to prevent | stats count in a macro from trigg...

chris · ‎09-08-2014

Using | stats count is often useful to do a quick test

| stats count | some search where you do not need event data

I wanted to use that mechanism/pattern in a macro that does modifications to a lookup. The macro is called/used by a workflow action

[test]
definition = | stats count | do stuff with a lookup
iseval = 0

Calling the macro triggers a remote search and takes much longer than doing the same directly in the search field in the default search view.
Is there a way around this? Is this the wrong aproach?
I could embed the search directly in the work flow action but I would like to pass on the name of the lookup that should get modified.

Update 09.09.2014

Thanks for you suggestions MuS & martin_mueller, they did not work for me at least not the way i tried them:

If I add splunk_server=local to the beginning of the macro a remote search is still triggered:

If I try with inputlookup as the first command of the macro I get an error:

If I just enter a | stats count in the search field the job inspector shows the following:

martin_mueller · ‎09-10-2014

Ah. Yeah, that's normal.

| `some macro`

With the macro not containing the pipe at the beginning.

View solution in original post

mikebd · ‎10-11-2015

| localop | stats count -> remoteSearch = None

martin_mueller · ‎09-10-2014

Ah. Yeah, that's normal.

| `some macro`

With the macro not containing the pipe at the beginning.

martin_mueller · ‎09-11-2014

Without the explicit pipe at the beginning the implicit search command gets added before macro replacement, effectively making the search * | stats count. Hence you're counting ALL the events, taking a long time.

That's what's happening, but don't ask me why...

martin_mueller · ‎09-11-2014

Now to compare, you run this:

`pipe`

expecting the search to do the same after macro replacement. However, that's not the case when looking at the search inspector:

search: search `pipe`
normalizedSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count
remoteSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count

Here, Splunk's telling its search peers "Run a search with no filters and count"... EEEEEEP!

martin_mueller · ‎09-11-2014

Technically not "why", but I can explain further. Say you have two macros like this:

[pipe]
definition = | stats count
iseval = 0
[nopipe]
definition = stats count
iseval = 0

When you run this search

| `nopipe`

and look at the search inspector you see these:

search:           | `nopipe`
normalizedSearch: prestats count
remoteSearch:     prestats count

In other words, Splunk tells its search peers "do nothing, and tell me how many events you found" - yielding a zero very quickly. The explicit pipe at the beginning suppresses the implicit search.

chris · ‎09-11-2014

Do you know why?

chris · ‎09-10-2014

Thanks for the suggestion, the problem remains the same though. I am fine running this manually from search form but as soon as the command is packed into a macro a search is triggered. I think macros should either do a proper search or not be the first part of a search ... -> If I take the first pipe out of the macro I'm fine: | macro -> and the macro contains "inputlookup append=t somename" or "stats count"

MuS · ‎09-09-2014

can you try either

| inputlookup append=t

or

| lookup local=true

martin_mueller · ‎09-08-2014

Depending on what stuff you want to do with a lookup you may use inputlookup instead.

MuS · ‎09-08-2014

How about :

splunk_server=local | stats count | foo boo

How to prevent | stats count in a macro from triggering a remote search?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...