Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

metadata search in a macro doesnt seem to work

pj
Contributor
‎03-27-2011 03:46 PM

Hi, I am trying to put a metadata search into a macro, but having trouble making it work.

The macro is something like the following (there is more to it, but this will allow you to replicate):

| metadata type=hosts index=myindex

When i run the macro, I get an error "Error in 'metadata' command: This command must be the first command of a search."

I would seem that something is inserted in front of the pipe which is stopping the macro from running. I need it in a macro as i am calling it from a form which calls a number of different macro searches that i have set up as reports. Specifying the pipe outside of the macro is not an option.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎03-27-2011 05:16 PM

You will not be able to lead with a pipe in a macro, per the macro docs...

Note: if a macro definition includes a leading pipe character ("|"), you may not use it as the first term in searches from the UI. Example: "| metadata type=sources". The UI does not do the macro expansion and cannot correctly identify the initial pipe to differentiate it from a regular search term. The UI constructs the search as if the macro name were a search term, which after expansion would cause the metadata command to be incorrectly formed and therefore invalid.

If you're using this from a View, you can still do this by leading the macro with a pipe...

<param name="search">| `my_metadata_macro`</param>

Or from the search app you can still type

| `my_metadata_macro`

View solution in original post

Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎11-10-2017 06:20 AM

Updating as this is the first result on google and behaviour has changed. See the new instructions here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesearchmacros#Search_macros_that_cont...

Generating commands can be used in macros, but you need to remove the leading | from the macro itself and put that in the search bar. IE:

 | `my macro`
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎03-27-2011 05:16 PM

You will not be able to lead with a pipe in a macro, per the macro docs...

Note: if a macro definition includes a leading pipe character ("|"), you may not use it as the first term in searches from the UI. Example: "| metadata type=sources". The UI does not do the macro expansion and cannot correctly identify the initial pipe to differentiate it from a regular search term. The UI constructs the search as if the macro name were a search term, which after expansion would cause the metadata command to be incorrectly formed and therefore invalid.

If you're using this from a View, you can still do this by leading the macro with a pipe...

<param name="search">| `my_metadata_macro`</param>

Or from the search app you can still type

| `my_metadata_macro`
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎06-06-2014 10:26 AM

Odd because I have a macro search that starts with
| append [ .....
Therefore starting with a pipe and works fine.

0 Karma
Reply
Solved! Jump to solution

pj
Contributor
‎03-27-2011 06:41 PM

Thanks - I probably should have checked the manual first... However, that is kind of annoying. Will have to find a workaround.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...