Knowledge Management
Highlighted

Require working example of iseval=true in Splunk macro definition

Legend

Please provide working example of iseval=true or iseval=1 as that also did not work as described in Splunk docs (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Macrosconf) or in macros.conf. Here is what I tries for iseval=true. I just removed eval $bytes$= from definition which was working fine for me without iseval.

#Macro with one argument. iseval true and no Validation or Error Message
[format_bytes_eval_true(1)]
args = bytes
definition = case($bytes$>=1125899906842624 AND $bytes$>1152921504606846976, tostring(round($bytes$/1152921504606846976,2))+" ZB",$bytes$>=1099511627776 AND committed<1125899906842624,tostring(round($bytes$/1073741824,2))+" TB",$bytes$>=1073741824 AND $bytes$<1099511627776, tostring(round($bytes$/1073741824,2))+" GB", $bytes$>=1048576 AND $bytes$<1073741824, tostring(round($bytes$/1048576,2))+" MB", $bytes$>1024 AND $bytes$<1073741824, tostring(round($bytes$/1024,2))+" KB", $bytes$<1024,tostring($bytes$+" Bytes"),1=1,tostring(round($bytes$/1152921504606846976,2))+" ZB")
errormsg =
iseval = true
validation =

PS: I tried on Splunk Enterprise 6.5




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Require working example of iseval=true in Splunk macro definition

Motivator

If really it is about an example for which iseval=1 works, here is one with arguments as constants. Might not work with field names as parameters though:

$SPLUNK_HOME$\etc\users\admin\search\local\macros.conf

[ab(2)]
args = p,q
definition = case($p$ > $q$, tostring($p$), $q$ > $p$, tostring($q$), 1=1, tostring($p$))
iseval = 1

And here is the output
alt text

For macro with iseval=0, it should look something like:

[isevalzero(2)]
args = p,q
definition = eval first=$p$*100 | eval second=$q$*100
iseval = 0

alt text

0 Karma
Highlighted

Re: Require working example of iseval=true in Splunk macro definition

Legend

@gokadroid

The example in my question works without iseval=true or iseval=1 with the definition like the following

definition = eval $byte$ = case (....)

The intent of my question was to check as to what am I doing wrong when I try to check iseval from macro definition and change the definition to

definition = case (...)

As stated in the question, I have already tried iseval=true and iseval=1 but none of them work. By the way I want to pass field name as an argument not value.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Require working example of iseval=true in Splunk macro definition

Esteemed Legend

Here is one that worked for me to remove leading '1' from telephone numbers:

[normalize_mdn(1)]
args = mdn
iseval = true
definition = replace("$mdn$","1?(.*)","1\1")

And don't forget about $SPLUNK_HOME/etc/system/README/ which is Splunk's home for working examples of every configuration file. In there I found macros.conf.example with this:

# example of an eval-based definition.  For example in this case
# `fooeval(10,20)` would get replaced by 10 + 20
[fooeval(2)]
args = foo, bar
definition = if (bar > 0, "$foo$ + $bar$", "$foo$ - $bar$")
iseval = true
0 Karma
Highlighted

Re: Require working example of iseval=true in Splunk macro definition

Legend

@woodcock, thanks for your reply. In the example that I have used input argument has been used as conditional statement in case. Can you point out issue with the same?

The same condition works without iseval with slightly different definition i.e.

definition = eval $byte$ = case (....)



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Require working example of iseval=true in Splunk macro definition

Esteemed Legend

I am very much struggling to understand what you mean. I am at a total loss. Start over, and describe your EXACT problem (forget about any part of the solution). What exactly are you trying to do?

0 Karma