Please provide working example of iseval=true or iseval=1 as that also did not work as described in Splunk docs (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Macrosconf) or in macros.conf. Here is what I tries for iseval=true. I just removed eval $bytes$= from definition which was working fine for me without iseval.
#Macro with one argument. iseval true and no Validation or Error Message
[format_bytes_eval_true(1)]
args = bytes
definition = case($bytes$>=1125899906842624 AND $bytes$>1152921504606846976, tostring(round($bytes$/1152921504606846976,2))+" ZB",$bytes$>=1099511627776 AND committed<1125899906842624,tostring(round($bytes$/1073741824,2))+" TB",$bytes$>=1073741824 AND $bytes$<1099511627776, tostring(round($bytes$/1073741824,2))+" GB", $bytes$>=1048576 AND $bytes$<1073741824, tostring(round($bytes$/1048576,2))+" MB", $bytes$>1024 AND $bytes$<1073741824, tostring(round($bytes$/1024,2))+" KB", $bytes$<1024,tostring($bytes$+" Bytes"),1=1,tostring(round($bytes$/1152921504606846976,2))+" ZB")
errormsg =
iseval = true
validation =
PS: I tried on Splunk Enterprise 6.5
Here is one that worked for me to remove leading '1' from telephone numbers:
[normalize_mdn(1)]
args = mdn
iseval = true
definition = replace("$mdn$","1?(.*)","1\1")
And don't forget about $SPLUNK_HOME/etc/system/README/
which is Splunk's home for working examples of every configuration file. In there I found macros.conf.example
with this:
# example of an eval-based definition. For example in this case
# `fooeval(10,20)` would get replaced by 10 + 20
[fooeval(2)]
args = foo, bar
definition = if (bar > 0, "$foo$ + $bar$", "$foo$ - $bar$")
iseval = true
@woodcock, thanks for your reply. In the example that I have used input argument has been used as conditional statement in case. Can you point out issue with the same?
The same condition works without iseval with slightly different definition i.e.
definition = eval $byte$ = case (....)
I am very much struggling to understand what you mean. I am at a total loss. Start over, and describe your EXACT problem (forget about any part of the solution). What exactly are you trying to do?
If really it is about an example for which iseval=1
works, here is one with arguments as constants. Might not work with field names
as parameters though:
$SPLUNK_HOME$\etc\users\admin\search\local\macros.conf
[ab(2)]
args = p,q
definition = case($p$ > $q$, tostring($p$), $q$ > $p$, tostring($q$), 1=1, tostring($p$))
iseval = 1
And here is the output
For macro with iseval=0
, it should look something like:
[isevalzero(2)]
args = p,q
definition = eval first=$p$*100 | eval second=$q$*100
iseval = 0
@gokadroid
The example in my question works without iseval=true or iseval=1 with the definition like the following
definition = eval $byte$ = case (....)
The intent of my question was to check as to what am I doing wrong when I try to check iseval from macro definition and change the definition to
definition = case (...)
As stated in the question, I have already tried iseval=true and iseval=1 but none of them work. By the way I want to pass field name as an argument not value.