Solved: How to update lookup using macro?

yutaka1005 · ‎03-11-2019

When I want to update lookup using search like below, it updates lookup table even if there is no results, but I want to avoid it.
~ | outputlookup sample.csv

So, I was thinking that I can do it by using macro, and configured like below, but it didn't work.

Definition
outputlookup sample.csv
Arguments
arg
Validation Expression
isnotnull($arg$)
Validation Error Message
result is null !
For example, in the sample search shown below, the field "result" is passed to the macro and the field is null, so I thought that I would get an error, but I did not get an error.

| makeresults count=1
| macro(result)
How can I do it? If someone know about it, please tell me.

HiroshiSatoh · ‎03-13-2019

マクロの仕様ではなく、LOOKUPファイルを上書きしない方法の回答です。

サーチの中で元ファイルを１回追加で読み込んで、サーチ結果が０件でない場合は追加したデータを削除する動きは可能だと思います。

View solution in original post

HiroshiSatoh · ‎03-13-2019

マクロの仕様ではなく、LOOKUPファイルを上書きしない方法の回答です。

サーチの中で元ファイルを１回追加で読み込んで、サーチ結果が０件でない場合は追加したデータを削除する動きは可能だと思います。

yutaka1005 · ‎03-13-2019

確かにappend=tで元ファイルを取り込んで、dedupするみたいなサーチで実現はできるんですが、macroの動作仕様が気になるので、別途質問しようかと思います…。

vnravikumar · ‎03-11-2019

Hi @yutaka1005

Check this link, similar question by @niketnilay

https://answers.splunk.com/answers/488470/macro-with-validation-isnum-does-not-work-even-if.html

yutaka1005 · ‎03-13-2019

Thank you for answer.

But in that Answers, problem wasn't solved.
I do not know the reason after all, but it ended with the conclusion that isnum() function did not work well.

I wonder how some functions such as isnull (), isnum () and isnotnull () do not work well with macros.

How to update lookup using macro?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes