topic Re: Sub search not returning string in Splunk Search

Sub search not returning string

joeybroesky — Mon, 22 Jun 2020 22:46:46 GMT

Why does a sub search return a boolean value? I am expecting to see the department value.

index="activedirectory" (userPrincipalName=*@emailaddress.ca) | eval From_Sub_Search=tostring([search index="activedirectory" (userPrincipalName="*@emailaddress.ca") | return department]) | eval From_Department=tostring(department) | table From_Sub_Search, From_Department

Search shown below:

Re: Sub search not returning string

manjunathmeti — Tue, 10 Mar 2020 20:08:04 GMT

try this:

index="activedirectory" (userPrincipalName=*@emailaddress.ca) | eval From_Sub_Search=tostring([search index="activedirectory" (userPrincipalName="*@emailaddress.ca") | return $department | format] ) | eval From_Department=tostring(department) | table From_Sub_Search, From_Department

Re: Sub search not returning string

joeybroesky — Wed, 30 Sep 2020 04:32:33 GMT

This returns "Null" for From_Sub_Search instead of "True".

See accident answer below.

Re: Sub search not returning string

manjunathmeti — Tue, 10 Mar 2020 20:16:36 GMT

what is the output of index="activedirectory" (userPrincipalName="@emailaddress.ca") | fields department ?

Re: Sub search not returning string

joeybroesky — Tue, 10 Mar 2020 20:26:06 GMT

It return the raw event data. If I table "department" it is correct.

Re: Sub search not returning string

joeybroesky — Tue, 10 Mar 2020 21:47:47 GMT

Added format to the end of the sub search resolved the issue.

index="activedirectory" (userPrincipalName=*@emailaddress.ca) | eval From_Sub_Search=tostring([search index="activedirectory" (userPrincipalName="*@emailaddress.ca") | return $department | format]) | eval From_Department=tostring(department) | table From_Sub_Search, From_Department

Re: Sub search not returning string

manjunathmeti — Wed, 11 Mar 2020 07:06:49 GMT

That's great! I updated my answer so that it can help others looking for similar problem.