Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot Call A Search Command from Search Macro

spraus
Explorer
‎02-08-2018 11:48 AM

Hello everyone;

I am trying to call a search command from a search macro. Does anyone have a suggestion.
Example:
Typical Search String: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
Search Macro: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" $filter$

When I run this it is as if 'ldapsearch' is not executed as the search returns way too quick as compared to the raw search.

Thank you in advance;
SPraus

Edit:
Exact "Actual" Macro:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="cn,sAMAccountName,mail,department,displayName,canonicalName,objectCategory,l,memberOf,pwdLastSet,sAMAccountType,title,givenName,sn,info,comment,userAccountControl,lastLogon" | rex field=memberOf "CN=(?<groups>.*?),OU=" | strcat "Info: " info "::" "Comment: " comment infoComments | makemv delim="::" infoComments | makemv delim=";" duoAliases | makemv delim="/" canonicalName | eval container = mvindex(canonicalName, 1) | search $filter$

And I have tested with just simply the start as I suggested above.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-08-2018 11:56 AM

The ldapsearch command is a generating command, which means it must always be preceded by a | (pipe) character. When generating commands are used in macros, you can't put the pipe inside the macro, so you'll need to ensure your search query always contains a pipe immediately before the macro on your search line. So if your macro is named ldap_macro, then you can't do this:

`ldap_macro` | whatever else...

Instead, you must always do this:

| `ldap_macro` | whatever else...
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:06 PM

My apologies elliotproebstel... My macro does include the "| ldapsearch " as you suggest. I forgot to add it above and will edit it. Unfortunately even with the | it is still not returning any results. My exact macro will now be added to the edit.

Sorry about that;
Stephen

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:13 PM

I think he's saying your macro needs to look like:

[<macro name>]
search = ldapsearch ...

And you would do this in your search string:

| `<macro name>`
Reply
Solved! Jump to solution

spraus
Explorer
‎02-08-2018 12:15 PM

You are completely correct Micah. Thank you!!!

Final answers:
Search Macro: " ldapsearch ....." (Note no |)
Use of search macro: " | {SearchMacroName} " (Note |)

Thank you all!!!

Reply
Solved! Jump to solution

micahkemp
Champion
‎02-08-2018 12:00 PM

Specifically you just can't start a macro with a pipe.

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-08-2018 02:11 PM

Yes, thanks for correcting and clarifying!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...