Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What I did wrong here with makeresults command

thinhdinh
Path Finder
‎07-09-2020 01:36 AM

Hello experts,

I am trying to create a custom macro, from that it will returns a result depends on the argument I pass to it, like this:

 

| makeresults | eval param=1 | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "Invalid number") | table result

 

The above searching query works well if I copy whole query and paste to the search bar 

 

| makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result

 

 But when I used as a macro

 

`getNumber(param=1)`

 

I got an error

 

Error in 'makeresults' command: This command must be the first command of a search.

 

How can I solve this issue? Basically this macro will be used in another macro.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 02:38 AM

Thank you for your answer! the error has gone. But the macro always returns the value of true() case, even I pass 1 or 2 as argument. Do you have any idea @renjith_nair ?

0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 03:03 AM

Oh I was missing the quote mark. Now it works correctly. Thank you again @renjith_nair .

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...