Knowledge Management

Why am I having Issues with use of LIKE in macro validation?

Pat
Path Finder

So I have a macro that has a field variable that I want to use a wildcard and worse the field names tend to have dots.  So a good field would be body.system.diskio.write.bytes and I tried using the following:

LIKE($field$, "body_system_diskio%")

with the idea is if would error if the field did not at least contain body.system.diskio.  I put the underscores in as im not sure it could handle the dots.  This does not work for me.  Anyone know what im doing wrong here?

 

EDITED :  I only had two options for conditionals and ended up getting it to work with match($BodySystemDiskIoBytes$, "body.system.diskio.write.bytes|body.system.diskio.read.bytes")

Labels (1)
Tags (2)
0 Karma
1 Solution

Pat
Path Finder

I got this solved by switching to the match  conditional

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Your macro should have single quotes around $field$ so that if your field name has non standard characters (e.g. dots), then it will work, so like this

LIKE('$field$', "body_system_diskio%")
0 Karma

Pat
Path Finder

I got this solved by switching to the match  conditional

0 Karma

Pat
Path Finder

thanks.  This helped somewhat in that it does not fail but now it never fails.  I tried taking it one step further and tried LIKE('$BodySystemDiskIoBytes$', "'body.system.diskio'%") but no luck.  My failure field im using is "body.system.test.write.bytes"

0 Karma
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...