Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputlookup in search macro generates error message

MarcRiese
Explorer
‎06-22-2020 11:29 PM

My search consists solely of a call to a search macro. It looks like this:

`blabla1(host="blabla2", mon-host="blabla3" )`

The search macro starts as follows:

| inputlookup blabla4.csv | eval counter=0 | ...

I get an error message "Error in 'inputlookup' command. This command must be the first command of a search."

Does this error message mean that Splunk does not support the use of inputlookup in a search macro?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 04:10 PM

Using macros with generating searches is described here

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/Definesearchmacros

i.e. you should not include the pipe in the macro

Reply

MarcRiese
Explorer
‎06-23-2020 11:09 PM

Hi Bowesmana,

The leading pipe was the problem. Thanks for your great help! Much appreciated!

Marc

0 Karma
Reply

MarcRiese
Explorer
‎06-22-2020 11:41 PM

P.S. 

If I put the inputlookup command in the search, just before the call to the search macro like this:

inputlookup blabla4.csv
| `blabla1(host="blabla2", mon-host="blabla3" )`

Where the search macro now starts as follows:

eval counter = 0 | ....

Then when I attempt to search, I get the following error message:

"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

I don't understand this error message. What can I do to fix this?

0 Karma
Reply

MarcRiese
Explorer
‎06-23-2020 12:23 AM

PPS

Now I understand what the appendcols error message is about. There is such a command in the search macro.

It starts as follows:

eval counter=0
| eval calculated_threshold = 390
| eval threshold_diff_percentage = 5
| appendcols [... ]
| eval ...

This code works without error when it was part of a saved search, but when I put the same code in a search macro I get the error "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 04:18 PM

appendcols works on table type data, so when it talks about stats/chart and so on, it is saying that it needs to be able to take

  • add new column from row_1 in appendcols results to row_1 in base results
  • add new column from row_2 in appendcols results to row_2 in base results

and so on.

| inputlookup does provide that type of data to which you can use appendcols, so I am a guessing that your data going into the macro is not data that fits the above scenario.

Without seeing the full search/macro it's hard to know exactly why.

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...