Splunk Search

How to prevent | stats count in a macro from triggering a remote search?

Motivator

Using | stats count is often useful to do a quick test

| stats count | some search where you do not need event data

I wanted to use that mechanism/pattern in a macro that does modifications to a lookup. The macro is called/used by a workflow action

[test]
definition = | stats count | do stuff with a lookup
iseval = 0

Calling the macro triggers a remote search and takes much longer than doing the same directly in the search field in the default search view.
Is there a way around this? Is this the wrong aproach?
I could embed the search directly in the work flow action but I would like to pass on the name of the lookup that should get modified.


Update 09.09.2014

Thanks for you suggestions MuS & martin_mueller, they did not work for me at least not the way i tried them:

If I add splunk_server=local to the beginning of the macro a remote search is still triggered:
alt text

If I try with inputlookup as the first command of the macro I get an error:
alt text

If I just enter a | stats count in the search field the job inspector shows the following:
alt text

Tags (4)
1 Solution

SplunkTrust
SplunkTrust

Ah. Yeah, that's normal.

| `some macro`

With the macro not containing the pipe at the beginning.

View solution in original post

Path Finder

| localop | stats count -> remoteSearch = None

0 Karma

SplunkTrust
SplunkTrust

Ah. Yeah, that's normal.

| `some macro`

With the macro not containing the pipe at the beginning.

View solution in original post

SplunkTrust
SplunkTrust

Without the explicit pipe at the beginning the implicit search command gets added before macro replacement, effectively making the search * | stats count. Hence you're counting ALL the events, taking a long time.

That's what's happening, but don't ask me why...

alt text

SplunkTrust
SplunkTrust

Now to compare, you run this:

`pipe`

expecting the search to do the same after macro replacement. However, that's not the case when looking at the search inspector:

search: search `pipe`
normalizedSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count
remoteSearch: litsearch | addinfo type=count label=prereport_events | fields keepcolorder=t "prestats_reserved_*" "psrsvd_*" | prestats count

Here, Splunk's telling its search peers "Run a search with no filters and count"... EEEEEEP!

SplunkTrust
SplunkTrust

Technically not "why", but I can explain further. Say you have two macros like this:

[pipe]
definition = | stats count
iseval = 0
[nopipe]
definition = stats count
iseval = 0

When you run this search

| `nopipe`

and look at the search inspector you see these:

search:           | `nopipe`
normalizedSearch: prestats count
remoteSearch:     prestats count

In other words, Splunk tells its search peers "do nothing, and tell me how many events you found" - yielding a zero very quickly. The explicit pipe at the beginning suppresses the implicit search.

Motivator

Do you know why?

0 Karma

Motivator

Thanks for the suggestion, the problem remains the same though. I am fine running this manually from search form but as soon as the command is packed into a macro a search is triggered. I think macros should either do a proper search or not be the first part of a search ... -> If I take the first pipe out of the macro I'm fine: | macro -> and the macro contains "inputlookup append=t somename" or "stats count"

0 Karma

SplunkTrust
SplunkTrust

can you try either

| inputlookup append=t

or

| lookup local=true
0 Karma

SplunkTrust
SplunkTrust

Depending on what stuff you want to do with a lookup you may use inputlookup instead.

SplunkTrust
SplunkTrust

How about :

splunk_server=local | stats count | foo boo