Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to update lookup using macro?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I want to update lookup using search like below, it updates lookup table even if there is no results, but I want to avoid it.
~ | outputlookup sample.csv
So, I was thinking that I can do it by using macro, and configured like below, but it didn't work.
Definition
outputlookup sample.csvArguments
argValidation Expression
isnotnull($arg$)Validation Error Message
result is null !
For example, in the sample search shown below, the field "result" is passed to the macro and the field is null, so I thought that I would get an error, but I did not get an error.| makeresults count=1
|macro(result)
How can I do it? If someone know about it, please tell me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
マクロの仕様ではなく、LOOKUPファイルを上書きしない方法の回答です。
サーチの中で元ファイルを1回追加で読み込んで、サーチ結果が0件でない場合は追加したデータを削除する動きは可能だと思います。
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
マクロの仕様ではなく、LOOKUPファイルを上書きしない方法の回答です。
サーチの中で元ファイルを1回追加で読み込んで、サーチ結果が0件でない場合は追加したデータを削除する動きは可能だと思います。
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
確かにappend=tで元ファイルを取り込んで、dedupするみたいなサーチで実現はできるんですが、macroの動作仕様が気になるので、別途質問しようかと思います…。
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yutaka1005
Check this link, similar question by @niketnilay
https://answers.splunk.com/answers/488470/macro-with-validation-isnum-does-not-work-even-if.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for answer.
But in that Answers, problem wasn't solved.
I do not know the reason after all, but it ended with the conclusion that isnum() function did not work well.
I wonder how some functions such as isnull (), isnum () and isnotnull () do not work well with macros.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
