Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What I did wrong here with makeresults command

thinhdinh
Path Finder
‎07-09-2020 01:36 AM

Hello experts,

I am trying to create a custom macro, from that it will returns a result depends on the argument I pass to it, like this:

 

| makeresults | eval param=1 | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "Invalid number") | table result

 

The above searching query works well if I copy whole query and paste to the search bar 

 

| makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result

 

 But when I used as a macro

 

`getNumber(param=1)`

 

I got an error

 

Error in 'makeresults' command: This command must be the first command of a search.

 

How can I solve this issue? Basically this macro will be used in another macro.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 02:38 AM

Thank you for your answer! the error has gone. But the macro always returns the value of true() case, even I pass 1 or 2 as argument. Do you have any idea @renjith_nair ?

0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 03:03 AM

Oh I was missing the quote mark. Now it works correctly. Thank you again @renjith_nair .

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...