Related Answers
Download topic as PDF
return
Description
Returns values from a subsearch.
The return command is used to pass values up from a subsearch. The command replaces the incoming events with one event, with one attribute: "search". To improve performance, the return command automatically limits the number of incoming results with the head command and the resulting fields with the fields command.
By default, the return command uses only the first row of results. Use the count argument to specify the number of results to use.
Syntax
return [<count>] [<alias>=<field>...] [<field>...] [$<field>...]
Required arguments
None.
Optional arguments
- <count>
- Syntax: <int>
- Description: Specify the number of rows.
- Default: 1, which is the first row of results passed into the command.
- <alias>
- Syntax: <alias>=<field>...
- Description: Specify the field alias and value to return. You can specify multiple pairs of aliases and values, separated by spaces.
- <field>
- Syntax: <field>...
- Description: Specify one or more fields to return, separated by spaces.
- <$field>
- Syntax: <$field>
- Description: Specify one or more field values to return, separated by spaces.
Usage
The command is convenient for outputting a field name, a alias-value pair, or just a field value.
| Output | Example |
|---|---|
| Field name | return source
|
| Alias=value | return ip=srcip
|
| Value | return $srcip
|
By default, the return command uses only the first row of results. You can specify multiple rows, for example 'return 2 ip'. Each row is viewed as an OR clause, that is, output might be '(ip=10.1.11.2) OR (ip=10.2.12.3)'. Multiple values can be specified and are placed within OR clauses. So, 'return 2 user ip' might output '(user=bob ip=10.1.11.2) OR (user=fred ip=10.2.12.3)'.
In most cases, using the return command at the end of a subsearch removes the need for head, fields, rename, format, and dedup.
Duplicate values
Suppose you have the following search:
sourcetype=WinEventLog:Security | return 2 user
You might logically expect the command to return the first two distinct users. Instead the command looks at the first two events, based on the ordering from the implied head command. The return command returns the users within those two events. The command does not determine if the user value is unique. If the same user is listed in these events, the command returns only the one user.
To return unique values, you need to include the dedup command in your search. For example:
sourcetype=WinEventLog:Security | dedup user | return 2 user
Quotations in returned fields
The return command does not escape quotation marks that are in the fields that are returned. You must use an eval command to escape the quotation marks before you use the return command. For example:
...[search eval field2=replace(field1,"\"","\\\"") | return field2]
Examples
Example 1:
Search for 'error ip=<someip>', where <someip> is the most recent ip used by user 'boss'.
error [ search user=boss | return ip ]
Example 2:
Search for 'error (user=user1 ip=ip1) OR (user=user2 ip=ip2)', where the users and IPs come from the two most-recent logins.
error [ search login | return 2 user ip ]
Example 3:
Return to eval the userid of the last user, and increment it by 1.
... | eval nextid = 1 + [ search user=* | return $id ] | ...
See also
|
PREVIOUS rest |
NEXT reverse |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 9.0.0, 9.0.1, 7.3.4
Feedback submitted, thanks!