Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What I did wrong here with makeresults command

thinhdinh
Path Finder
‎07-09-2020 01:36 AM

Hello experts,

I am trying to create a custom macro, from that it will returns a result depends on the argument I pass to it, like this:

 

| makeresults | eval param=1 | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "Invalid number") | table result

 

The above searching query works well if I copy whole query and paste to the search bar 

 

| makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result

 

 But when I used as a macro

 

`getNumber(param=1)`

 

I got an error

 

Error in 'makeresults' command: This command must be the first command of a search.

 

How can I solve this issue? Basically this macro will be used in another macro.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎07-09-2020 02:05 AM

@thinhdinh,

At the moment, we are not able to use a leading | inside macro definition. It's documented in Pipe characters and generating commands in macro definitions 

Instead you can remove the pipe(|) from definition and use it while invoking it

|`getNumber(1)`

and definition would be

makeresults | eval param=$param$ | eval result=case(param == 1, "one", param == 2, "two", param == 3, "three", true(), "invalid input") | table result
Happy Splunking!
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 02:38 AM

Thank you for your answer! the error has gone. But the macro always returns the value of true() case, even I pass 1 or 2 as argument. Do you have any idea @renjith_nair ?

0 Karma
Reply
Solved! Jump to solution

thinhdinh
Path Finder
‎07-09-2020 03:03 AM

Oh I was missing the quote mark. Now it works correctly. Thank you again @renjith_nair .

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...