![]() In most cases, using the return command at the end of a subsearch removes the need for head, fields, rename, format, and dedup. Multiple values can be specified and are placed within OR clauses. Each row is viewed as an OR clause, that is, output might be ' (ip=10.1.11.2) OR (ip=10.2.12.3)'. You can specify multiple rows, for example ' return 2 ip'. ![]() The command is convenient for outputting a field name, a alias-value pair, or just a field value.īy default, the return command uses only the first row of results. Syntax: Description: Specify one or more field values to return, separated by spaces. Description: Specify one or more fields to return, separated by spaces. The argument does not support spaces before and after the '=' sign. You can specify multiple pairs of aliases and values, separated by spaces. Description: Specify the field alias and value to return. Default: 1, which is the first row of results passed into the command. Optional arguments Syntax: Description: Specify the number of rows. Use the count argument to specify the number of results to use. To improve performance, the return command automatically limits the number of incoming results with the head command and the resulting fields with the fields command.īy default, the return command uses only the first row of results. return replaces the incoming events with one event, with one attribute: "search". ![]() Use the return command to return values from a subsearch. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |