Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can anyone help with inputlookup not working inside a macro?

ddelmont
Explorer
‎12-11-2020 11:49 AM

Here is the test_lookup.cvs I'm using:

c1c2c3c4c5
r11234
r25678
r39101112
r413141516

 

This works:

 

| inputlookup test_lookup.csv
| eval input="r1,r2"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Returns:

"( ( c1="r1" AND c2="1" AND c3="2" AND c4="3" AND c5="4" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) OR ( c1="r2" AND c2="5" AND c3="6" AND c4="7" AND c5="8" AND ( input="r1" OR input="r2" ) AND input_rule="1" ) )"

So I created test_macro(1)

 

inputlookup test_lookup.csv
| eval input="$rows$"
| makemv delim="," input
| eval input_rule=if(c1=input,"1","0") 
| where input_rule=1 
| format
| eval search="\"".search."\""

 

Run this:

 

| makeresults
| eval rows="r1,r3"
| eval score=
       [|`test_macro(rows)`]

 


Using the macro the results are:

NOT ()

I have tried everything I can think of!  Pulling my hair out at this point.  Thanks.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

nickhills
Ultra Champion
‎12-12-2020 04:03 AM

Untested, but try this in the macro:

| eval macroRow=$row$
| lookup test_lookup.csv local=true c1 as macroRow
| format
| eval search="\"".search."\""
If my comment helps, please give it a thumbs up!
0 Karma
Reply

ddelmont
Explorer
‎12-11-2020 03:17 PM

So if I read these correctly you can't pass a token to a subsearch:
https://community.splunk.com/t5/Splunk-Search/Pass-value-to-subsearch-with-inputlookup/td-p/494990
https://community.splunk.com/t5/Splunk-Search/How-to-expand-macro-arguments-in-eval-subsearch/m-p/13... 

Ok, So instead of a subsearch with inputlookup, I am trying to pass a token to |ookup.  Not working either... LOL.

So macro set with iseval is now:

| lookup test_lookup.csv local=true c1 as $row$
| format
| eval search="\"".search."\""

Running:

| makeresults
| eval row="r3"
| eval string=`test_macro(row)`

returns:

Error in 'SearchParser': The definition of macro 'test_macro(1)' is expected to be an eval expression that returns a string.

So what am I missing.  I'm running version 7.3.7.1, is that why it doesn't work?

I've also read (below) and seems like this should work.

https://community.splunk.com/t5/Splunk-Search/When-I-use-eval-command-to-assign-search-to-variable-w... 

https://community.splunk.com/t5/Splunk-Search/Don-t-get-eval-based-macros/m-p/32007#M6652 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...