Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What I did wrong here with makeresults command

thinhdinh
Path Finder
‎07-09-2020 01:36 AM

Hello experts,

I am trying to create a custom macro, from that it will returns a result depends on the argument I pass to it, like this:

 

| makeresults | eval param=1 | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "Invalid number") | table result

 

The above searching query works well if I copy whole query and paste to the search bar 

 

| makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result

 

 But when I used as a macro

 

`getNumber(param=1)`

 

I got an error

 

Error in 'makeresults' command: This command must be the first command of a search.

 

How can I solve this issue? Basically this macro will be used in another macro.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 02:38 AM

Thank you for your answer! the error has gone. But the macro always returns the value of true() case, even I pass 1 or 2 as argument. Do you have any idea @renjith_nair ?

0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 03:03 AM

Oh I was missing the quote mark. Now it works correctly. Thank you again @renjith_nair .

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌 Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...