added eval for #13

Signed-off-by: Zach Christensen <[email protected]>

src/SA-CrowdstrikeDevices/default/savedsearches.conf

@@ -43,7 +43,7 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     nt_host=lower('falcon_device.hostname'),\
     dns=lower(nt_host.".".'falcon_device.machine_domain'),\
     mac=lower(replace('falcon_device.mac_address', "-", ":")),\
-    bunit=lower(replace(mvjoin('falcon_device.ou{}', ","), " ", "_")),\
+    bunit=lower(replace(mvjoin(mvappend('falcon_device.ou{}', 'falcon_device.site_name'), ","), " ", "_")),\
     priority=case(match(category, "domain_controller"), "critical", match(category, "server|ubuntu|rhel|linux"), "high", true(), "medium"),\
     is_expected=if(priority=="critical", "true", "false"),\
     _key=md5(nt_host)\