Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

call a savedsearch calling a macro from the CLI

mataharry
Communicator
‎02-28-2011 11:19 PM

I have a problem with that :

a macro that fills a new field
[mymacro]
definition = eval now_time=now() | convert ctime(now_time) timeformat="%d/%m/%Y %H:%M:%S"
iseval = 0

a saved search calling that macro
[testmacro]
is_visible = 1
search = index=_internal * earliest=-5d | `mymacro` |  table now_time

____
If i call the macro from the GUI, no problem
index=_internal * earliest=-5d | `mymacro` |  table now_time

If I call the macro from the CLI, no problem (after escaping the `)
./splunk search ' index=_internal * earliest=-5d | `mymacro` |  table now_time' 
or
./splunk search " index=_internal * earliest=-5d | \`mymacro\` |  table now_time" 

____

But if I call the savedsearch calling the macro , it's spreading error
from the CLI
./splunk search '| savedsearch testmacro '
Error in 'SearchParser': Missing a search command before '`'.

or from the GUI
|savedsearch testmacro
Error in 'SearchParser': Missing a search command before '`'.
Tags (3)
Reply

oliverquick
New Member
‎07-15-2011 09:54 AM

Did u ever get anywhere with the 'savedsearch' command within search.

I am having similar issues - no matter how I construct it I get

Error in 'savedsearch' command: Usage: [options]

I know the search exists as it appears after

./splunk help search-commands

0 Karma
Reply

mataharry
Communicator
‎03-01-2011 07:00 PM

I modified the file manually, I just can't find a way to make it work, or to find a way to call it.



./splunk search '| savedsearch testmacro '

./splunk search "| savedsearch testmacro "

./splunk search '| savedsearch "testmacro" '

Error in 'SearchParser': Missing a search command before '`'.

FYI : the GUI can't save a search with escaped characters like



index=_internal * earliest=-5d | `mymacro` |  table now_time

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-01-2011 02:53 AM

seems like a bug to me. can you perhaps find and edit your case with the search string definition from the appropriate savedsearches.conf file? it's possible it's a GUI error and it could be worked around by editing the conf file directly.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...