Validation Expression is not working in my macro.

yutaka1005 · ‎03-18-2019

I wanted to use macros to change whether or not to perform a subsequent search, depending on the results of a particular field.
So, I configured following macro for test, but it isn't working well.

Definition
eval status=$arg$
Arguments
arg
Validation Expression
$arg$="OK"
Validation Error Message
this is error!

I tried the following search for the test, but I get an error even if the flag is "OK".

| makeresults count=1 
| eval flag="OK" 
| `test(flag)`

Is something wrong with the settings?
Or is this a bug?

HiroshiSatoh · ‎03-18-2019

マクロのValidation Expressionは使わないのが正解なんじゃないですか？
少し検証してみましたが、isnull、isnotnullくらいしかうまく動かない感じです。使いたければこの２つで制御するのをお勧めします。

Ver.7.0.3

nickhills · ‎03-18-2019

Hi @yutaka1005

For the Validation expression use:

like($arg$, "OK")

Also, since you are specifying that the definition is an eval, do not tick 'use eval based expression'

If my comment helps, please give it a thumbs up!

yutaka1005 · ‎03-18-2019

Although I was checking the operation, it seems that the following Validation Expression does not apply to the value of field passed as an argument.

like($arg$, "OK")

In the above example, the field flag is passed, but it seems that Validation Expression doesn't judge value of flag, but the flag as string.

Is this a specification...?

yutaka1005 · ‎03-18-2019

Thank you for answer!

I changed validation expression, but it still not work...
(* I didn't tick 'use eval based expression')

By the way, my splunk version is 7.2.3

Validation Expression is not working in my macro.

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Validation Expression is not working in my macro.

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?