Hi, I am trying to put a metadata search into a macro, but having trouble making it work.
The macro is something like the following (there is more to it, but this will allow you to replicate):
| metadata type=hosts index=myindex
When i run the macro, I get an error "Error in 'metadata' command: This command must be the first command of a search."
I would seem that something is inserted in front of the pipe which is stopping the macro from running. I need it in a macro as i am calling it from a form which calls a number of different macro searches that i have set up as reports. Specifying the pipe outside of the macro is not an option.
You will not be able to lead with a pipe in a macro, per the macro docs...
Note: if a macro definition includes a leading pipe character ("|"), you may not use it as the first term in searches from the UI. Example: "| metadata type=sources". The UI does not do the macro expansion and cannot correctly identify the initial pipe to differentiate it from a regular search term. The UI constructs the search as if the macro name were a search term, which after expansion would cause the metadata command to be incorrectly formed and therefore invalid.
If you're using this from a View, you can still do this by leading the macro with a pipe...
<param name="search">| `my_metadata_macro`</param>
Or from the search app you can still type
| `my_metadata_macro`
Updating as this is the first result on google and behaviour has changed. See the new instructions here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesearchmacros#Search_macros_that_cont...
Generating commands can be used in macros, but you need to remove the leading |
from the macro itself and put that in the search bar. IE:
| `my macro`
You will not be able to lead with a pipe in a macro, per the macro docs...
Note: if a macro definition includes a leading pipe character ("|"), you may not use it as the first term in searches from the UI. Example: "| metadata type=sources". The UI does not do the macro expansion and cannot correctly identify the initial pipe to differentiate it from a regular search term. The UI constructs the search as if the macro name were a search term, which after expansion would cause the metadata command to be incorrectly formed and therefore invalid.
If you're using this from a View, you can still do this by leading the macro with a pipe...
<param name="search">| `my_metadata_macro`</param>
Or from the search app you can still type
| `my_metadata_macro`
Odd because I have a macro search that starts with
| append [ .....
Therefore starting with a pipe and works fine.
Thanks - I probably should have checked the manual first... However, that is kind of annoying. Will have to find a workaround.