Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputlookup in search macro generates error message

MarcRiese
Explorer
‎06-22-2020 11:29 PM

My search consists solely of a call to a search macro. It looks like this:

`blabla1(host="blabla2", mon-host="blabla3" )`

The search macro starts as follows:

| inputlookup blabla4.csv | eval counter=0 | ...

I get an error message "Error in 'inputlookup' command. This command must be the first command of a search."

Does this error message mean that Splunk does not support the use of inputlookup in a search macro?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 04:10 PM

Using macros with generating searches is described here

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/Definesearchmacros

i.e. you should not include the pipe in the macro

Reply

MarcRiese
Explorer
‎06-23-2020 11:09 PM

Hi Bowesmana,

The leading pipe was the problem. Thanks for your great help! Much appreciated!

Marc

0 Karma
Reply

MarcRiese
Explorer
‎06-22-2020 11:41 PM

P.S. 

If I put the inputlookup command in the search, just before the call to the search macro like this:

inputlookup blabla4.csv
| `blabla1(host="blabla2", mon-host="blabla3" )`

Where the search macro now starts as follows:

eval counter = 0 | ....

Then when I attempt to search, I get the following error message:

"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

I don't understand this error message. What can I do to fix this?

0 Karma
Reply

MarcRiese
Explorer
‎06-23-2020 12:23 AM

PPS

Now I understand what the appendcols error message is about. There is such a command in the search macro.

It starts as follows:

eval counter=0
| eval calculated_threshold = 390
| eval threshold_diff_percentage = 5
| appendcols [... ]
| eval ...

This code works without error when it was part of a saved search, but when I put the same code in a search macro I get the error "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 04:18 PM

appendcols works on table type data, so when it talks about stats/chart and so on, it is saying that it needs to be able to take

  • add new column from row_1 in appendcols results to row_1 in base results
  • add new column from row_2 in appendcols results to row_2 in base results

and so on.

| inputlookup does provide that type of data to which you can use appendcols, so I am a guessing that your data going into the macro is not data that fits the above scenario.

Without seeing the full search/macro it's hard to know exactly why.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...