Require working example of iseval=true in Splunk m...

niketn · ‎01-15-2017

Please provide working example of iseval=true or iseval=1 as that also did not work as described in Splunk docs (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Macrosconf) or in macros.conf. Here is what I tries for iseval=true. I just removed eval $bytes$= from definition which was working fine for me without iseval.

#Macro with one argument. iseval true and no Validation or Error Message
[format_bytes_eval_true(1)]
args = bytes
definition = case($bytes$>=1125899906842624 AND $bytes$>1152921504606846976, tostring(round($bytes$/1152921504606846976,2))+" ZB",$bytes$>=1099511627776 AND committed<1125899906842624,tostring(round($bytes$/1073741824,2))+" TB",$bytes$>=1073741824 AND $bytes$<1099511627776, tostring(round($bytes$/1073741824,2))+" GB", $bytes$>=1048576 AND $bytes$<1073741824, tostring(round($bytes$/1048576,2))+" MB", $bytes$>1024 AND $bytes$<1073741824, tostring(round($bytes$/1024,2))+" KB", $bytes$<1024,tostring($bytes$+" Bytes"),1=1,tostring(round($bytes$/1152921504606846976,2))+" ZB")
errormsg =
iseval = true
validation =

PS: I tried on Splunk Enterprise 6.5

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎01-17-2017

Here is one that worked for me to remove leading '1' from telephone numbers:

[normalize_mdn(1)]
args = mdn
iseval = true
definition = replace("$mdn$","1?(.*)","1\1")

And don't forget about $SPLUNK_HOME/etc/system/README/ which is Splunk's home for working examples of every configuration file. In there I found macros.conf.example with this:

# example of an eval-based definition.  For example in this case
# `fooeval(10,20)` would get replaced by 10 + 20
[fooeval(2)]
args = foo, bar
definition = if (bar > 0, "$foo$ + $bar$", "$foo$ - $bar$")
iseval = true

niketn · ‎01-17-2017

@woodcock, thanks for your reply. In the example that I have used input argument has been used as conditional statement in case. Can you point out issue with the same?

The same condition works without iseval with slightly different definition i.e.

definition = eval $byte$ = case (....)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎02-07-2017

I am very much struggling to understand what you mean. I am at a total loss. Start over, and describe your EXACT problem (forget about any part of the solution). What exactly are you trying to do?

gokadroid · ‎01-15-2017

If really it is about an example for which iseval=1 works, here is one with arguments as constants. Might not work with field names as parameters though:

$SPLUNK_HOME$\etc\users\admin\search\local\macros.conf

[ab(2)]
args = p,q
definition = case($p$ > $q$, tostring($p$), $q$ > $p$, tostring($q$), 1=1, tostring($p$))
iseval = 1

And here is the output

For macro with iseval=0, it should look something like:

[isevalzero(2)]
args = p,q
definition = eval first=$p$*100 | eval second=$q$*100
iseval = 0

niketn · ‎01-16-2017

@gokadroid

The example in my question works without iseval=true or iseval=1 with the definition like the following

definition = eval $byte$ = case (....)

The intent of my question was to check as to what am I doing wrong when I try to check iseval from macro definition and change the definition to

definition = case (...)

As stated in the question, I have already tried iseval=true and iseval=1 but none of them work. By the way I want to pass field name as an argument not value.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Require working example of iseval=true in Splunk macro definition

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms