Using | stats count is often useful to do a quick test
| stats count | some search where you do not need event data
I wanted to use that mechanism/pattern in a macro that does modifications to a lookup. The macro is called/used by a workflow action
[test]
definition = | stats count | do stuff with a lookup
iseval = 0
Calling the macro triggers a remote search and takes much longer than doing the same directly in the search field in the default search view.
Is there a way around this? Is this the wrong aproach?
I could embed the search directly in the work flow action but I would like to pass on the name of the lookup that should get modified.
Update 09.09.2014
Thanks for you suggestions MuS & martin_mueller, they did not work for me at least not the way i tried them:
If I add splunk_server=local
to the beginning of the macro a remote search is still triggered:
If I try with inputlookup as the first command of the macro I get an error:
If I just enter a | stats count
in the search field the job inspector shows the following:
Ah. Yeah, that's normal.
| `some macro`
With the macro not containing the pipe at the beginning.
| localop | stats count
-> remoteSearch = None
Ah. Yeah, that's normal.
| `some macro`
With the macro not containing the pipe at the beginning.
Without the explicit pipe at the beginning the implicit search
command gets added before macro replacement, effectively making the search * | stats count
. Hence you're counting ALL the events, taking a long time.
That's what's happening, but don't ask me why...
Now to compare, you run this:
`pipe`
expecting the search to do the same after macro replacement. However, that's not the case when looking at the search inspector:
search: search `pipe`
normalizedSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count
remoteSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count
Here, Splunk's telling its search peers "Run a search with no filters and count"... EEEEEEP!
Technically not "why", but I can explain further. Say you have two macros like this:
[pipe]
definition = | stats count
iseval = 0
[nopipe]
definition = stats count
iseval = 0
When you run this search
| `nopipe`
and look at the search inspector you see these:
search: | `nopipe`
normalizedSearch: prestats count
remoteSearch: prestats count
In other words, Splunk tells its search peers "do nothing, and tell me how many events you found" - yielding a zero very quickly. The explicit pipe at the beginning suppresses the implicit search
.
Do you know why?
Thanks for the suggestion, the problem remains the same though. I am fine running this manually from search form but as soon as the command is packed into a macro a search is triggered. I think macros should either do a proper search or not be the first part of a search ... -> If I take the first pipe out of the macro I'm fine: | macro
-> and the macro contains "inputlookup append=t somename" or "stats count"
can you try either
| inputlookup append=t
or
| lookup local=true
Depending on what stuff you want to do with a lookup you may use inputlookup
instead.
How about :
splunk_server=local | stats count | foo boo