Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What I did wrong here with makeresults command

thinhdinh
Path Finder
‎07-09-2020 01:36 AM

Hello experts,

I am trying to create a custom macro, from that it will returns a result depends on the argument I pass to it, like this:

 

| makeresults | eval param=1 | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "Invalid number") | table result

 

The above searching query works well if I copy whole query and paste to the search bar 

 

| makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result

 

 But when I used as a macro

 

`getNumber(param=1)`

 

I got an error

 

Error in 'makeresults' command: This command must be the first command of a search.

 

How can I solve this issue? Basically this macro will be used in another macro.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 02:38 AM

Thank you for your answer! the error has gone. But the macro always returns the value of true() case, even I pass 1 or 2 as argument. Do you have any idea @renjith_nair ?

0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 03:03 AM

Oh I was missing the quote mark. Now it works correctly. Thank you again @renjith_nair .

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top