Splunk Search

return command works only with numeric values​​?

jrodriguezap
Communicator

Hi
I try to return a string value and does not recognize, and when return a numeric value if recognized. No way to return the string?
My Search is:

    host=IMG6460B sourcetype="WinEventLog:Application" 
    | eval UserSession=[ search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | return $Session]

But does not return a value, the return value is Session="a0291da-2039"

Tags (3)
0 Karma
1 Solution

tom_frotscher
Builder

With the "$" sign in front, your return value should be a0291da-2039. But i think this is not working with the eval. Not sure if this is the answer, but can you try this:

host=IMG6460B sourcetype="WinEventLog:Application" | eval UserSession=[ search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | eval temp_session="\"".Session."\"" | return $temp_session]

View solution in original post

musskopf
Builder

I don't think it's possible. The closest I got was using the "map" command, which is basically a looping, "for each result do that...". Have a look on the documentation, might be useful for you.

0 Karma

jrodriguezap
Communicator

is this possible? or any other way?

0 Karma

jrodriguezap
Communicator

A question please.
You can send a parameter from the main search to return search?
I need to put a condition to return value, something like this:

index=main field_MAIN=val1 | eval test=[ search index=other_index | where field_SUB=field_MAIN | head 1 | eval fieldA="\""+fieldA+"\"" | return $fieldA]
0 Karma

jrodriguezap
Communicator

It is true musskopf.
I had not realized that the quotes were needed. @tom_frotscher's was quite right.
Sorry and thank you very much

0 Karma

musskopf
Builder

Seems to be a bug, the workaround is to add the quotes as you did, it worked for me:

index=main | eval test=[ search index=other_index | head 1 | eval fieldA="\""+fieldA+"\"" | return $fieldA]

jrodriguezap
Communicator

Hi
someone will this ever happened? or be a bug report should support? 😞

jrodriguezap
Communicator

I tried it with another indexer, and I like it.
When I run only

search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | eval temp_session="\"".Session."\"" | return $temp_session

I returns the value

**temp_session**
  a0291da-2039

but when I run it with Eval, the field UserSession does not get the value
If it's weird.

0 Karma

linu1988
Champion

for returning multiple values use makemv and then return the whole value then divide the multivalued field.

0 Karma

aweitzman
Motivator

That's weird: @tom_frotscher's solution totally worked for me.

(As an aside - you can leave out the head 1 clause in the subsearch - by using the return function the head 1 is implied.)

I agree, it seems strange that you have to do the additional eval processing to get it to work with string values being returned, but it does seem to work correctly.

0 Karma

jrodriguezap
Communicator

Thanks tom_frotscher
I gave the eval, but nothing, not to return the string value, only numeric, is that normal?

0 Karma

tom_frotscher
Builder

With the "$" sign in front, your return value should be a0291da-2039. But i think this is not working with the eval. Not sure if this is the answer, but can you try this:

host=IMG6460B sourcetype="WinEventLog:Application" | eval UserSession=[ search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | eval temp_session="\"".Session."\"" | return $temp_session]
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...