Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Validation Expression is not working in my macro.

yutaka1005
Builder
‎03-18-2019 02:45 AM

I wanted to use macros to change whether or not to perform a subsequent search, depending on the results of a particular field.
So, I configured following macro for test, but it isn't working well.

  • Definition
    eval status=$arg$

  • Arguments
    arg

  • Validation Expression
    $arg$="OK"

  • Validation Error Message
    this is error!

I tried the following search for the test, but I get an error even if the flag is "OK".

| makeresults count=1 
| eval flag="OK" 
| `test(flag)`

Is something wrong with the settings?
Or is this a bug?

0 Karma
Reply

HiroshiSatoh
Champion
‎03-18-2019 06:45 PM

マクロのValidation Expressionは使わないのが正解なんじゃないですか?
少し検証してみましたが、isnull、isnotnullくらいしかうまく動かない感じです。使いたければこの2つで制御するのをお勧めします。

Ver.7.0.3

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 04:03 AM

Hi @yutaka1005

For the Validation expression use:

like($arg$, "OK")

Also, since you are specifying that the definition is an eval, do not tick 'use eval based expression'

If my comment helps, please give it a thumbs up!
Reply

yutaka1005
Builder
‎03-18-2019 06:00 PM

Although I was checking the operation, it seems that the following Validation Expression does not apply to the value of field passed as an argument.

like($arg$, "OK")

In the above example, the field flag is passed, but it seems that Validation Expression doesn't judge value of flag, but the flag as string.

Is this a specification...?

0 Karma
Reply

yutaka1005
Builder
‎03-18-2019 05:47 PM

Thank you for answer!

I changed validation expression, but it still not work...
(* I didn't tick 'use eval based expression')

By the way, my splunk version is 7.2.3

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...