return

Description

Returns values from a subsearch.

The return command is used to pass values up from a subsearch. The command replaces the incoming events with one event, with one attribute: "search". To improve performance, the return command automatically limits the number of incoming results with the head command and the resulting fields with the fields command.

By default, the return command uses only the first row of results. Use the count argument to specify the number of results to use.

Syntax

return [<count>] [<alias>=<field>...] [<field>...] [$<field>...]

Required arguments

None.

Optional arguments

<count>: Syntax: <int>; Description: Specify the number of rows.; Default: 1, which is the first row of results passed into the command.

<alias>: Syntax: <alias>=<field>...; Description: Specify the field alias and value to return. You can specify multiple pairs of aliases and values, separated by spaces.

<field>: Syntax: <field>...; Description: Specify one or more fields to return, separated by spaces.

<$field>: Syntax: <$field>; Description: Specify one or more field values to return, separated by spaces.

Usage

The command is convenient for outputting a field name, a alias-value pair, or just a field value.

Output	Example
Field name	`return source`
Alias=value	`return ip=srcip`
Value	`return $srcip`

By default, the return command uses only the first row of results. You can specify multiple rows, for example 'return 2 ip'. Each row is viewed as an OR clause, that is, output might be '(ip=10.1.11.2) OR (ip=10.2.12.3)'. Multiple values can be specified and are placed within OR clauses. So, 'return 2 user ip' might output '(user=bob ip=10.1.11.2) OR (user=fred ip=10.2.12.3)'.

In most cases, using the return command at the end of a subsearch removes the need for head, fields, rename, format, and dedup.

Duplicate values

Suppose you have the following search:

sourcetype=WinEventLog:Security | return 2 user

You might logically expect the command to return the first two distinct users. Instead the command looks at the first two events, based on the ordering from the implied head command. The return command returns the users within those two events. The command does not determine if the user value is unique. If the same user is listed in these events, the command returns only the one user.

To return unique values, you need to include the dedup command in your search. For example:

sourcetype=WinEventLog:Security | dedup user | return 2 user

Quotations in returned fields

The return command does not escape quotation marks that are in the fields that are returned. You must use an eval command to escape the quotation marks before you use the return command. For example:

...[search eval field2=replace(field1,"\"","\\\"") | return field2]

Examples

Example 1:

Search for 'error ip=<someip>', where <someip> is the most recent ip used by user 'boss'.

error [ search user=boss | return ip ]

Example 2:

Search for 'error (user=user1 ip=ip1) OR (user=user2 ip=ip2)', where the users and IPs come from the two most-recent logins.

error [ search login | return 2 user ip ]

Example 3:

Return to eval the userid of the last user, and increment it by 1.

... | eval nextid = 1 + [ search user=* | return $id ] | ...

Search Reference

Introduction

Quick Reference

Evaluation Functions

Statistical and Charting Functions

Time Format Variables and Modifiers

Search Commands

Internal Commands

Search in the CLI

return

Description

Syntax

Required arguments

Optional arguments

Usage

Duplicate values

Quotations in returned fields

Examples

Example 1:

Example 2:

Example 3:

See also

Comments

Search Reference

Related Answers

return

Description

Syntax

Required arguments

Optional arguments

Usage

Duplicate values

Quotations in returned fields

Examples

Example 1:

Example 2:

Example 3:

See also

Comments

return