- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cannot Call A Search Command from Search Macro
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone;
I am trying to call a search command from a search macro. Does anyone have a suggestion.
Example:
Typical Search String: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
Search Macro: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" $filter$
When I run this it is as if 'ldapsearch' is not executed as the search returns way too quick as compared to the raw search.
Thank you in advance;
SPraus
Edit:
Exact "Actual" Macro:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="cn,sAMAccountName,mail,department,displayName,canonicalName,objectCategory,l,memberOf,pwdLastSet,sAMAccountType,title,givenName,sn,info,comment,userAccountControl,lastLogon" | rex field=memberOf "CN=(?<groups>.*?),OU=" | strcat "Info: " info "::" "Comment: " comment infoComments | makemv delim="::" infoComments | makemv delim=";" duoAliases | makemv delim="/" canonicalName | eval container = mvindex(canonicalName, 1) | search $filter$
And I have tested with just simply the start as I suggested above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:
`ldap_macro` | whatever else...
Instead, you must always do this:
| `ldap_macro` | whatever else...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:
`ldap_macro` | whatever else...
Instead, you must always do this:
| `ldap_macro` | whatever else...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My apologies elliotproebstel... My macro does include the "| ldapsearch " as you suggest. I forgot to add it above and will edit it. Unfortunately even with the | it is still not returning any results. My exact macro will now be added to the edit.
Sorry about that;
Stephen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think he's saying your macro needs to look like:
[<macro name>]
search = ldapsearch ...
And you would do this in your search string:
| `<macro name>`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are completely correct Micah. Thank you!!!
Final answers:
Search Macro: " ldapsearch ....." (Note no |)
Use of search macro: " | {SearchMacroName} " (Note |)
Thank you all!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Specifically you just can't start a macro with a pipe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, thanks for correcting and clarifying!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
