I am new to Splunk and I have a question I think it should have a simple solution but I can't find it.
The below "eval foo" works as I expect. It is listed under the fields list and contains the text and samaccountname as i specified with eval
| ldapsearch limit=10 domain=SPL search="(&(objectclass=user)(!(objectClass=computer)))" | eval foo = "test:" + sAMAccountName
but when I try the same with ldapgroup (see below) eval foo doesn't work. Its not listed under fields list. and if add | table foo to the end of the search I get no results found.
|ldapsearch domain=SPL search="(&(objectclass=group)(cn=Administrators))"|ldapgroup domain=SPL|eval foo = "test:" + member_name
Any suggestions as to what I am doing wrong?
You should use "." to concatenate instead of "+" in your eval. Also, make sure that the member_name field still exists after you use the ldapgroup command.
You should use "." to concatenate instead of "+" in your eval. Also, make sure that the member_name field still exists after you use the ldapgroup command.