Re: Macro with validation isnum() does not work ev...

niketn · ‎01-15-2017

I followed steps similar to isnum() validation to be applied on macro input argument defined on http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchmacroexamples. However, I always get Validation error, even if the macro argument value is numeric.

Following macro Definition:

#Working macro with one argument. Validation or Error Message
[format_bytes_validation_error(1)]
args = bytes
definition = eval $bytes$=case($bytes$>=1125899906842624 AND $bytes$>1152921504606846976, tostring(round($bytes$/1152921504606846976,2))+" ZB",$bytes$>=1099511627776 AND committed<1125899906842624,tostring(round($bytes$/1073741824,2))+" TB",$bytes$>=1073741824 AND $bytes$<1099511627776, tostring(round($bytes$/1073741824,2))+" GB", $bytes$>=1048576 AND $bytes$<1073741824, tostring(round($bytes$/1048576,2))+" MB", $bytes$>1024 AND $bytes$<1073741824, tostring(round($bytes$/1024,2))+" KB", $bytes$<1024,tostring($bytes$+" Bytes"),1=1,tostring(round($bytes$/1152921504606846976,2))+" ZB")
errormsg = "Argument must be numeric"  
iseval = 0
validation = isnum($bytes$)

And following is the SPL to test

| makeresults
| eval size=10221212
| eval fieldType=if(isnum(size),"Numeric","NonNumeric")
| table size, fieldType
| `format_bytes_validation_error(size)`

I also referred to the example in Splunk Document for macros.conf (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Macrosconf) file, it mentions Validation section with Argument/s without dollar prefix and suffix i.e. validation = foo > bar. I tried something similar with my macro argument as well and still did not work.

PS: the macro works fine without any validation.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎01-16-2017

I do not know why but isnum works differently in validation than it does anywhere else. In validation, it can only receive a literal constant (e.g. 1.1 instead of fieldOnePointOne with a value of 1.1). You could open a supoort case and ask for it to be fixed or if they will not, for the online documentation to be made more clear.

niketn · ‎01-16-2017

@woodcock, I had pointed the same in Splunk documentations (two issues with macros including this and https://answers.splunk.com/answers/488469/require-working-example-of-isevaltrue-in-splunk-ma.html)

I was requested to post these as questions, so that, if there is a solution, the same can be updated in documentation. If not I am not sure how to get this reported as a bug or enhancement.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gokadroid · ‎01-15-2017

Problem might be that macro being used with fields. Try the macro with constants and you will realize it shall be working. For field names as macro arguments you might need some workaround for yourself.
See this answer on macro arguments and field name:
https://answers.splunk.com/answers/2913/using-field-values-as-paramaters-for-macros.html#answer-2915

niketn · ‎01-16-2017

@gokadroid, if I take out validation and errormsg from the macro the macro works just fine. So I need to know why is the isnum functionality not working as expected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Macro with validation isnum() does not work even if the input argument is numeric

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?