I wanted to use macros to change whether or not to perform a subsequent search, depending on the results of a particular field.
So, I configured following macro for test, but it isn't working well.
Definition
eval status=$arg$
Arguments
arg
Validation Expression
$arg$="OK"
Validation Error Message
this is error!
I tried the following search for the test, but I get an error even if the flag is "OK".
| makeresults count=1
| eval flag="OK"
| `test(flag)`
Is something wrong with the settings?
Or is this a bug?
マクロのValidation Expressionは使わないのが正解なんじゃないですか?
少し検証してみましたが、isnull、isnotnullくらいしかうまく動かない感じです。使いたければこの2つで制御するのをお勧めします。
Ver.7.0.3
Hi @yutaka1005
For the Validation expression use:
like($arg$, "OK")
Also, since you are specifying that the definition is an eval, do not tick 'use eval based expression'
Although I was checking the operation, it seems that the following Validation Expression
does not apply to the value of field passed as an argument.
like($arg$, "OK")
In the above example, the field flag
is passed, but it seems that Validation Expression
doesn't judge value of flag
, but the flag
as string.
Is this a specification...?
Thank you for answer!
I changed validation expression, but it still not work...
(* I didn't tick 'use eval based expression')
By the way, my splunk version is 7.2.3