Solved: sub search and regular search does not return the ...

matansocher · ‎11-05-2017

Hi

I get the weird result when trying to run the same search in a subsearch and in a regular search.
This is my search:

| inputcsv MilestonesMPS 
| search Design_Element_Name="QUP v3" TASK_SOC_NAME="Napali" Report_Milestone="*P1*" 
| return $TaskDeadline

When I run it as a regular search on its own it returns: "01-02-16", which is the right data.
When I run it as a sub search like that, the result in "p1Date" field is: "-17":

| inputcsv MilestonesMPS 
| search Design_Element_Name="QUP v3" TASK_SOC_NAME="Napali" Report_Milestone="*P*"

| eval p1Date = 
    [| inputcsv MilestonesMPS 
    | search Design_Element_Name="QUP v3" TASK_SOC_NAME="Napali" Report_Milestone="*P1*" 
    | return $TaskDeadline] 

| table Design_Element_Name TASK_SOC_NAME p1Date

What is happening here?

Thanks

HiroshiSatoh · ‎11-06-2017

Arithmetically calculated by EVAL is -17.
p1Date = 1 - 2 - 16 =-17
Is -17 useless?

View solution in original post

HiroshiSatoh · ‎11-06-2017

Arithmetically calculated by EVAL is -17.
p1Date = 1 - 2 - 16 =-17
Is -17 useless?

sub search and regular search does not return the same value

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

sub search and regular search does not return the same value

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard