https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595751#M10607 <P>Lovely thank you.&nbsp; Just now figured out that even the below works</P><P>| rename transactionid as search</P><P>&nbsp;</P><P>Source:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults</A></P><P>The following search looks for a value in the<SPAN>&nbsp;</SPAN>clID<SPAN>&nbsp;</SPAN>field that is associated with a name token or field value. The clID value is then used to search for several sources.</P><P class="">index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ]</P><P>The subsearch returns the field and value in the format:<SPAN>&nbsp;</SPAN>( (clID="0050834ja") )</P><P>To return only the value,<SPAN>&nbsp;</SPAN>0050834ja, rename the<SPAN>&nbsp;</SPAN>clID<SPAN>&nbsp;</SPAN>field to<SPAN>&nbsp;</SPAN>search<SPAN>&nbsp;</SPAN>in the subsearch. For example:</P><P class="">index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ]</P><P>When the field is named<SPAN>&nbsp;</SPAN>search<SPAN>&nbsp;</SPAN>or<SPAN>&nbsp;</SPAN>query, the field name is dropped and the implicit<SPAN>&nbsp;</SPAN>| format<SPAN>&nbsp;</SPAN>command at the end of the subsearch returns only the value.</P><P>If you return multiple values, such as specifying<SPAN>&nbsp;</SPAN>...| top limit=3, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used<SPAN>&nbsp;</SPAN>...| top limit=3, the values returned from the subsearch are<SPAN>&nbsp;</SPAN>( ( value1 ) OR ( value2 ) OR ( value3 ) ).</P><P>&nbsp;</P> Thu, 28 Apr 2022 08:04:17 GMT msg4sunil 2022-04-28T08:04:17Z https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595743#M10603 <P>Team,</P> <P>index sourcetype=app_* some_search | rex "\[(?&lt;transactionid&gt;[A-Za-z0-9]+)\]" | rename transactionid as q|table q|format</P> <P>returns me</P> <P>( ( q="100223608103" ) OR ( q="D202204021000676" ) )</P> <P>&nbsp;</P> <P>How do I get the below instead?</P> <P>( ( "100223608103" ) OR ("D202204021000676" ) )</P> <P>&nbsp;</P> <P>Thank you</P> Thu, 28 Apr 2022 18:07:13 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595743#M10603 msg4sunil 2022-04-28T18:07:13Z https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595748#M10604 <P>Not exactly what you want, but replace format with</P><LI-CODE lang="markup">| return 999 $q</LI-CODE><P>&nbsp;that will give you&nbsp;</P><P><SPAN>(100223608103) OR (D202204021000676)</SPAN></P><P>&nbsp;</P> Thu, 28 Apr 2022 07:54:31 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595748#M10604 bowesmana 2022-04-28T07:54:31Z https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595749#M10605 <LI-CODE lang="markup">| rename transactionid as query</LI-CODE> Thu, 28 Apr 2022 07:56:01 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595749#M10605 ITWhisperer 2022-04-28T07:56:01Z https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595750#M10606 <P>I always forget 'query' keyword</P><P>Here's the doco on those keywords</P><P><A href="https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Search/Changetheformatofsubsearchresults" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Search/Changetheformatofsubsearchresults</A></P><P>&nbsp;</P> Thu, 28 Apr 2022 07:59:40 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595750#M10606 bowesmana 2022-04-28T07:59:40Z https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595751#M10607 <P>Lovely thank you.&nbsp; Just now figured out that even the below works</P><P>| rename transactionid as search</P><P>&nbsp;</P><P>Source:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Changetheformatofsubsearchresults</A></P><P>The following search looks for a value in the<SPAN>&nbsp;</SPAN>clID<SPAN>&nbsp;</SPAN>field that is associated with a name token or field value. The clID value is then used to search for several sources.</P><P class="">index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID ]</P><P>The subsearch returns the field and value in the format:<SPAN>&nbsp;</SPAN>( (clID="0050834ja") )</P><P>To return only the value,<SPAN>&nbsp;</SPAN>0050834ja, rename the<SPAN>&nbsp;</SPAN>clID<SPAN>&nbsp;</SPAN>field to<SPAN>&nbsp;</SPAN>search<SPAN>&nbsp;</SPAN>in the subsearch. For example:</P><P class="">index=myindex [search index=myindex host=myhost MyName | top limit=1 clID | fields clID | rename clID as search ]</P><P>When the field is named<SPAN>&nbsp;</SPAN>search<SPAN>&nbsp;</SPAN>or<SPAN>&nbsp;</SPAN>query, the field name is dropped and the implicit<SPAN>&nbsp;</SPAN>| format<SPAN>&nbsp;</SPAN>command at the end of the subsearch returns only the value.</P><P>If you return multiple values, such as specifying<SPAN>&nbsp;</SPAN>...| top limit=3, the subsearch returns each of the values with the boolean OR operator between the values. For example, if the previous search example used<SPAN>&nbsp;</SPAN>...| top limit=3, the values returned from the subsearch are<SPAN>&nbsp;</SPAN>( ( value1 ) OR ( value2 ) OR ( value3 ) ).</P><P>&nbsp;</P> Thu, 28 Apr 2022 08:04:17 GMT https://community.splunk.com/t5/Splunk-Dev/How-to-retrieve-specific-Splunk-query-response/m-p/595751#M10607 msg4sunil 2022-04-28T08:04:17Z