Solved: sub search and regular search does not return the ...

matansocher · ‎11-05-2017

Hi

I get the weird result when trying to run the same search in a subsearch and in a regular search.
This is my search:

| inputcsv MilestonesMPS 
| search Design_Element_Name="QUP v3" TASK_SOC_NAME="Napali" Report_Milestone="*P1*" 
| return $TaskDeadline

When I run it as a regular search on its own it returns: "01-02-16", which is the right data.
When I run it as a sub search like that, the result in "p1Date" field is: "-17":

| inputcsv MilestonesMPS 
| search Design_Element_Name="QUP v3" TASK_SOC_NAME="Napali" Report_Milestone="*P*"

| eval p1Date = 
    [| inputcsv MilestonesMPS 
    | search Design_Element_Name="QUP v3" TASK_SOC_NAME="Napali" Report_Milestone="*P1*" 
    | return $TaskDeadline] 

| table Design_Element_Name TASK_SOC_NAME p1Date

What is happening here?

Thanks

HiroshiSatoh · ‎11-06-2017

Arithmetically calculated by EVAL is -17.
p1Date = 1 - 2 - 16 =-17
Is -17 useless?

View solution in original post

HiroshiSatoh · ‎11-06-2017

Arithmetically calculated by EVAL is -17.
p1Date = 1 - 2 - 16 =-17
Is -17 useless?

sub search and regular search does not return the same value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation