Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputlookup in search macro generates error message

MarcRiese
Explorer
‎06-22-2020 11:29 PM

My search consists solely of a call to a search macro. It looks like this:

`blabla1(host="blabla2", mon-host="blabla3" )`

The search macro starts as follows:

| inputlookup blabla4.csv | eval counter=0 | ...

I get an error message "Error in 'inputlookup' command. This command must be the first command of a search."

Does this error message mean that Splunk does not support the use of inputlookup in a search macro?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 04:10 PM

Using macros with generating searches is described here

https://docs.splunk.com/Documentation/Splunk/8.0.4/Knowledge/Definesearchmacros

i.e. you should not include the pipe in the macro

Reply

MarcRiese
Explorer
‎06-23-2020 11:09 PM

Hi Bowesmana,

The leading pipe was the problem. Thanks for your great help! Much appreciated!

Marc

0 Karma
Reply

MarcRiese
Explorer
‎06-22-2020 11:41 PM

P.S. 

If I put the inputlookup command in the search, just before the call to the search macro like this:

inputlookup blabla4.csv
| `blabla1(host="blabla2", mon-host="blabla3" )`

Where the search macro now starts as follows:

eval counter = 0 | ....

Then when I attempt to search, I get the following error message:

"Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

I don't understand this error message. What can I do to fix this?

0 Karma
Reply

MarcRiese
Explorer
‎06-23-2020 12:23 AM

PPS

Now I understand what the appendcols error message is about. There is such a command in the search macro.

It starts as follows:

eval counter=0
| eval calculated_threshold = 390
| eval threshold_diff_percentage = 5
| appendcols [... ]
| eval ...

This code works without error when it was part of a saved search, but when I put the same code in a search macro I get the error "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 04:18 PM

appendcols works on table type data, so when it talks about stats/chart and so on, it is saying that it needs to be able to take

  • add new column from row_1 in appendcols results to row_1 in base results
  • add new column from row_2 in appendcols results to row_2 in base results

and so on.

| inputlookup does provide that type of data to which you can use appendcols, so I am a guessing that your data going into the macro is not data that fits the above scenario.

Without seeing the full search/macro it's hard to know exactly why.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...