Solved: Re: How to update lookup using macro?

yutaka1005 · ‎03-11-2019

When I want to update lookup using search like below, it updates lookup table even if there is no results, but I want to avoid it.
~ | outputlookup sample.csv

So, I was thinking that I can do it by using macro, and configured like below, but it didn't work.

Definition
outputlookup sample.csv
Arguments
arg
Validation Expression
isnotnull($arg$)
Validation Error Message
result is null !
For example, in the sample search shown below, the field "result" is passed to the macro and the field is null, so I thought that I would get an error, but I did not get an error.

| makeresults count=1
| macro(result)
How can I do it? If someone know about it, please tell me.

HiroshiSatoh · ‎03-13-2019

マクロの仕様ではなく、LOOKUPファイルを上書きしない方法の回答です。

サーチの中で元ファイルを１回追加で読み込んで、サーチ結果が０件でない場合は追加したデータを削除する動きは可能だと思います。

View solution in original post

HiroshiSatoh · ‎03-13-2019

マクロの仕様ではなく、LOOKUPファイルを上書きしない方法の回答です。

サーチの中で元ファイルを１回追加で読み込んで、サーチ結果が０件でない場合は追加したデータを削除する動きは可能だと思います。

yutaka1005 · ‎03-13-2019

確かにappend=tで元ファイルを取り込んで、dedupするみたいなサーチで実現はできるんですが、macroの動作仕様が気になるので、別途質問しようかと思います…。

vnravikumar · ‎03-11-2019

Hi @yutaka1005

Check this link, similar question by @niketnilay

https://answers.splunk.com/answers/488470/macro-with-validation-isnum-does-not-work-even-if.html

yutaka1005 · ‎03-13-2019

Thank you for answer.

But in that Answers, problem wasn't solved.
I do not know the reason after all, but it ended with the conclusion that isnum() function did not work well.

I wonder how some functions such as isnull (), isnum () and isnotnull () do not work well with macros.

How to update lookup using macro?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor