Re: Validation Expression is not working in my mac...

yutaka1005 · ‎03-18-2019

I wanted to use macros to change whether or not to perform a subsequent search, depending on the results of a particular field.
So, I configured following macro for test, but it isn't working well.

Definition
eval status=$arg$
Arguments
arg
Validation Expression
$arg$="OK"
Validation Error Message
this is error!

I tried the following search for the test, but I get an error even if the flag is "OK".

| makeresults count=1 
| eval flag="OK" 
| `test(flag)`

Is something wrong with the settings?
Or is this a bug?

HiroshiSatoh · ‎03-18-2019

マクロのValidation Expressionは使わないのが正解なんじゃないですか？
少し検証してみましたが、isnull、isnotnullくらいしかうまく動かない感じです。使いたければこの２つで制御するのをお勧めします。

Ver.7.0.3

nickhills · ‎03-18-2019

Hi @yutaka1005

For the Validation expression use:

like($arg$, "OK")

Also, since you are specifying that the definition is an eval, do not tick 'use eval based expression'

If my comment helps, please give it a thumbs up!

yutaka1005 · ‎03-18-2019

Although I was checking the operation, it seems that the following Validation Expression does not apply to the value of field passed as an argument.

like($arg$, "OK")

In the above example, the field flag is passed, but it seems that Validation Expression doesn't judge value of flag, but the flag as string.

Is this a specification...?

yutaka1005 · ‎03-18-2019

Thank you for answer!

I changed validation expression, but it still not work...
(* I didn't tick 'use eval based expression')

By the way, my splunk version is 7.2.3

Validation Expression is not working in my macro.

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM