Solved: Re: Issues with use of LIKE in macro validation

Pat · ‎04-06-2022

So I have a macro that has a field variable that I want to use a wildcard and worse the field names tend to have dots. So a good field would be body.system.diskio.write.bytes and I tried using the following:

LIKE($field$, "body_system_diskio%")

with the idea is if would error if the field did not at least contain body.system.diskio. I put the underscores in as im not sure it could handle the dots. This does not work for me. Anyone know what im doing wrong here?

EDITED : I only had two options for conditionals and ended up getting it to work with match($BodySystemDiskIoBytes$, "body.system.diskio.write.bytes|body.system.diskio.read.bytes")

Pat · ‎04-07-2022

I got this solved by switching to the match conditional

View solution in original post

bowesmana · ‎04-06-2022

Your macro should have single quotes around $field$ so that if your field name has non standard characters (e.g. dots), then it will work, so like this

LIKE('$field$', "body_system_diskio%")

Pat · ‎04-07-2022

I got this solved by switching to the match conditional

Pat · ‎04-07-2022

thanks. This helped somewhat in that it does not fail but now it never fails. I tried taking it one step further and tried LIKE('$BodySystemDiskIoBytes$', "'body.system.diskio'%") but no luck. My failure field im using is "body.system.test.write.bytes"

Why am I having Issues with use of LIKE in macro validation?

search macro

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies