Knowledge Management

inputlookup in a macro

phoenixdigital
Builder

Can someone please explain why this will work as a search but not as a macro?

Working search

| inputlookup customer-details.csv  | search Mirn="533*"

Not working macro

| inputlookup customer-details.csv  | search Mirn="$Mirn$"

The error when running it as a macro is

Error in 'inputlookup' command: This command must be the first command of a search.

This tweaked macro does however work

stats count | append [inputlookup customer-details.csv  | search Mirn="$Mirn$"] | table *

I understand it has something to do with Splunk wanting to work with existing events and the 'stats count' creates a fake event for everything to append to.

But a technical explanation of what is happened here in detail would be great thanks.

Tags (2)

sideview
SplunkTrust
SplunkTrust

It sounds like you're using the macro in a place where there's something in front of it, even i that something is just "*"

ie, running this search will give you the exact same error in the UI

* | inputlookup customer-details.csv

So it's not so much the macro that doesn't work, as the way the macro is being used. Or at least the way Splunk thinks the macro is being used.

I think this would also explain why the tweaked macro does work, because the "something before" would just get quietly flattened and thrown away by that | stats count

UPDATE::

Indeed, if the macro has the leading pipe character in the definition, and you then use that macro in the search box as myMacro, there's your problem. The reason is that the search box will always prefix the search with the "search" command if it doesn't see a leading pipe. Since it sees no leading pipe, you end up sending "search | inputlookup" to splunkd, hence your error.

One solution might be to leave the leading pipe character out of the macro, thus you'd be typing in

| `myMacro`

sideview
SplunkTrust
SplunkTrust

Aha. That makes perfect sense. I'll update my answer. You need to basically not have the pipe character in the macro. If there's no pipe character in the search box, then the search box assumes it's a search term, and it puts a "search " in front of the contents when it dispatches the search.

0 Karma

phoenixdigital
Builder

Thanks Nick for the reply. I reread my previous response and it seemed a bit terse. That was not my intention 🙂

This search is being performed in a standard search box not in a dashboard. Pressing the information button when searching on '| inputlookup customer-details.csv' which works gives me this

http://imgur.com/x27JIbt

However if I put this exact text into a macro and call the macro directly with nothing else it fails with the error in the first post.

0 Karma

sideview
SplunkTrust
SplunkTrust

Can you describe more fully where exactly it's being used? In a HiddenSearch module? or in the simple XML? Because sometimes the UI will sneak in a "*" before things and my suspicion is that's what's happening here. You can also use a tool like Firebug to look at the HTTP traffic and look at the search as it's being POSTed to Splunkd.

0 Karma

phoenixdigital
Builder

That's why I posted the question. I don't have anything in front of it no * or anything.

You will notice it works as a search by itself but not a macro.

The bigger picture here is to pass a variable to the macro which will use inputlookup to find a row in the CSV. The row returned can then be used to perform a append a sub search based on columns in the CSV row.

Sure we could do the search first and then limit by the lookup but then Splunk would be working with a much larger data set.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...