Splunk Search

return command works only with numeric values​​?

jrodriguezap
Contributor

Hi
I try to return a string value and does not recognize, and when return a numeric value if recognized. No way to return the string?
My Search is:

    host=IMG6460B sourcetype="WinEventLog:Application" 
    | eval UserSession=[ search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | return $Session]

But does not return a value, the return value is Session="a0291da-2039"

Tags (3)
0 Karma
1 Solution

tom_frotscher
Builder

With the "$" sign in front, your return value should be a0291da-2039. But i think this is not working with the eval. Not sure if this is the answer, but can you try this:

host=IMG6460B sourcetype="WinEventLog:Application" | eval UserSession=[ search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | eval temp_session="\"".Session."\"" | return $temp_session]

View solution in original post

musskopf
Builder

I don't think it's possible. The closest I got was using the "map" command, which is basically a looping, "for each result do that...". Have a look on the documentation, might be useful for you.

0 Karma

jrodriguezap
Contributor

is this possible? or any other way?

0 Karma

jrodriguezap
Contributor

A question please.
You can send a parameter from the main search to return search?
I need to put a condition to return value, something like this:

index=main field_MAIN=val1 | eval test=[ search index=other_index | where field_SUB=field_MAIN | head 1 | eval fieldA="\""+fieldA+"\"" | return $fieldA]
0 Karma

jrodriguezap
Contributor

It is true musskopf.
I had not realized that the quotes were needed. @tom_frotscher's was quite right.
Sorry and thank you very much

0 Karma

musskopf
Builder

Seems to be a bug, the workaround is to add the quotes as you did, it worked for me:

index=main | eval test=[ search index=other_index | head 1 | eval fieldA="\""+fieldA+"\"" | return $fieldA]

jrodriguezap
Contributor

Hi
someone will this ever happened? or be a bug report should support? 😞

jrodriguezap
Contributor

I tried it with another indexer, and I like it.
When I run only

search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | eval temp_session="\"".Session."\"" | return $temp_session

I returns the value

**temp_session**
  a0291da-2039

but when I run it with Eval, the field UserSession does not get the value
If it's weird.

0 Karma

linu1988
Champion

for returning multiple values use makemv and then return the whole value then divide the multivalued field.

0 Karma

aweitzman
Motivator

That's weird: @tom_frotscher's solution totally worked for me.

(As an aside - you can leave out the head 1 clause in the subsearch - by using the return function the head 1 is implied.)

I agree, it seems strange that you have to do the additional eval processing to get it to work with string values being returned, but it does seem to work correctly.

0 Karma

jrodriguezap
Contributor

Thanks tom_frotscher
I gave the eval, but nothing, not to return the string value, only numeric, is that normal?

0 Karma

tom_frotscher
Builder

With the "$" sign in front, your return value should be a0291da-2039. But i think this is not working with the eval. Not sure if this is the answer, but can you try this:

host=IMG6460B sourcetype="WinEventLog:Application" | eval UserSession=[ search host=IMG6460B sourcetype="WinEventLog:System" | head 1 | eval temp_session="\"".Session."\"" | return $temp_session]
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...