Knowledge Management

Why am I having Issues with use of LIKE in macro validation?

Pat
Path Finder

So I have a macro that has a field variable that I want to use a wildcard and worse the field names tend to have dots.  So a good field would be body.system.diskio.write.bytes and I tried using the following:

LIKE($field$, "body_system_diskio%")

with the idea is if would error if the field did not at least contain body.system.diskio.  I put the underscores in as im not sure it could handle the dots.  This does not work for me.  Anyone know what im doing wrong here?

 

EDITED :  I only had two options for conditionals and ended up getting it to work with match($BodySystemDiskIoBytes$, "body.system.diskio.write.bytes|body.system.diskio.read.bytes")

Labels (1)
Tags (2)
0 Karma
1 Solution

Pat
Path Finder

I got this solved by switching to the match  conditional

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Your macro should have single quotes around $field$ so that if your field name has non standard characters (e.g. dots), then it will work, so like this

LIKE('$field$', "body_system_diskio%")
0 Karma

Pat
Path Finder

I got this solved by switching to the match  conditional

0 Karma

Pat
Path Finder

thanks.  This helped somewhat in that it does not fail but now it never fails.  I tried taking it one step further and tried LIKE('$BodySystemDiskIoBytes$', "'body.system.diskio'%") but no luck.  My failure field im using is "body.system.test.write.bytes"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...