More information:
Updating macros.conf from lookup. Below is my macro query and lookup definition, (only first 2 rows, i have 50 currently and expected to grow 150+) which I want to update from a scheduled search, rather than manually. Can we construct something in python? Shell script is another alternative, but if we can write a command for this, then it would be great. This is 1 case, if we can create something, would be applicable to atleast 2 more places. Also, this lookup file is updated at least 2 times every week. So automation can be really helpful for Splunk.
Lookup:
PITS_Number,PITS_Exception,Status,Cluster_Type,Priority
194458,NoSuchPropertyException caught in ProductMaintenanceServiceImpl,Open,Global Cluster,High
237666,Unknown/unsupported Order format1 message type,Open,Business Cluster,Medium
Macro:
index=cboe_* splunk_server=* | rex field=_raw "(?<PITS_194458>NoSuchPropertyException caught in ProductMaintenanceServiceImpl)"|rex field=_raw "(?<PITS_237666>Unknown/unsupported Order format1 message type)"| eval PITS_Number1=if(PITS_194458!="",194458,"")|eval PITS_Number2=if(PITS_237666!="",237666,"")|eval PITS_Exception=mvappend(PITS_194458,PITS_237666)|search PITS_Exception!=""| eval PITS_Number=mvappend(PITS_Number1,PITS_Number2)| lookup PITS.csv PITS as PITS_Number OUTPUT PITS as PITS, Exception as PITS_Exception_Pattern,Cluster_Type as Cluster,Priority as Priority,Status as Status
... View more