Splunk Search

How to use the lookup table into a macro with parameters?


I have a lookup table with filters and SPLs columns/values by product/client. I want to use a macro passing the product/client as an argument, and the result should be the entire filter or SPLs. Is there any way to do it?

For example:




mymacro definition should return the values in the lookup table related to the productA.

The search above should return all the fields, commands, and so on related to this productA and execute the search.

Labels (6)
0 Karma


Thank you all for the help but let me be more specifically.

Macro definition: mymacro(1) - Based on the customer name, it should returns some fields, such as index, sourcetype, filters and so on.

| eval customer="$arg1$" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields use_case_data_source | head 1

  Search: The field returned by the macro, should fill the index field in the search.


Using Job Inspector, the eventSearch field is filled like this:

search | eval customer="client_01" | lookup use_cases.csv customer OUTPUT customer use_case_data_source | fields + use_case_data_source | search index=use_case_data_source

Maybe, I'm missing something or I'm a little rusty.

0 Karma

Esteemed Legend

Hi @rafamss,

create you own search using the lookup, then, when you're sure, move the part of the search in the macro definition, choosing the correct parameters to pass, e.g. if you have 

index=X [ | inputlookup my_lookup.csv WHERE product=productA | fields client ]
| ...

it becames:


[ | inputlookup my_lookup.csv WHERE product=$product$ | fields client ]


index=X `mymacro(productA)`

Beware to identify all the possible choices, e.g. if you can pass a product or a client, you have to pass two parameters to the macro, e.g. 

[ | inputlookup my_lookup.csv WHERE $field$=$product$ | fields client ]

and the search becames:

index=X `mymacro(product,productA)`

All depends on the content of the macro, for this reason I hint before to try the search without macro,




There are some limitations to use macros inside macros, but in most cases you could do almost everything with macros instead of writing directly SPL code.

@woodcock if I recall right you have some really nice presentation about how to use macros for looping etc? Can you share the link to it?

Esteemed Legend


There's nothing magical about macros.  If you can do it in SPL then it's trivial to make the SPL into a macro.  Unfortunately, I'm fairly certain this cannot be done.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...