topic Re: return command is not giving desired result in Splunk Search

Why is return command not giving desired result?

AL3Z — Tue, 18 Jul 2023 00:49:15 GMT

Hi,

I'm trying to exclude list of sites from my search from lookup table its not working as expected,

base search

sub search

NOT

(
[| inputlookup instances.csv
| fields instance_id
| return 1000 instance_id])

If we use same below as a sub search in my main search it is not giving any events what could be the reason ? do we need to modify sub search ?

| inputlookup instances.csv | fields instance_id | return 1000 instance_id

output:

instance_id search

(instance_id="xyz") OR (instance_id="abc.com") OR (instance_id="cpl.com") OR (instance_id="ipl.com") OR (instance_id="bcci.com") OR (instance_id="pca.com") OR (instance_id="eca.com") OR (instance_id="aca.com") OR (instance_id="nca.com") OR (instance_id="ica.com") OR (instance_id="bca.com")

Re: return command is not giving desired result

gcusello — Mon, 17 Jul 2023 05:48:21 GMT

Hi @AL3Z,

did you already tried an easier solution?

<your_search> NOT [ | inputlookup instances.csv | fields instance_id ]

Ciao.

Giuseppe

Re: return command is not giving desired result

AL3Z — Mon, 17 Jul 2023 09:14:41 GMT

It is not working...

Re: return command is not giving desired result

gcusello — Mon, 17 Jul 2023 09:17:40 GMT

Hi @AL3Z ,

are you sure that in the main search the field is exactly named "instance_id"?

if not, rename it in the subsearch

ciao.

Giuseppe

Re: return command is not giving desired result

AL3Z — Mon, 17 Jul 2023 09:23:50 GMT

yes, no its working if I put | return 1000 instance_id

thanks...

Re: return command is not giving desired result

gcusello — Mon, 17 Jul 2023 09:30:58 GMT

Hi @AL3Z,

I usually not use return in subsearches without issue, with the only attention to use the field name in main and sub searches!

what do you mean with " no its working if I put | return 1000 instance_id"?

does it filter results or not?

what's the difference using also returns?

What does it happen if you don't use NOT, have you results?

Usually the problem is the opposite: it runs without negation and runs with NOT.

Ciao.

Giuseppe

Re: return command is not giving desired result

AL3Z — Mon, 17 Jul 2023 11:08:19 GMT

are you sure that in the main search the field is exactly named "instance_id"? -----> yes

if not, rename it in the subsearch ---------------> No

If we use <your_search> [ | inputlookup instances.csv | fields instance_id ] its not filtering events.

Using [ | inputlookup instances.csv | fields instance_id | return 1000 instance_id] its filtering all the events.

in my scenario we are using NOT to excludes these instances from my search.

Thanks..

Re: return command is not giving desired result

gcusello — Mon, 17 Jul 2023 11:12:41 GMT

Hi @AL3Z ,

I understood the you need the NOT condition, but it was only for debugging!

For my knowledge it should run without return, but with return have you the required filtering or not?

Ciao.

Giuseppe

Re: return command is not giving desired result

AL3Z — Mon, 17 Jul 2023 13:06:31 GMT

yup,with return we do have required filtering.

Re: return command is not giving desired result

gcusello — Mon, 17 Jul 2023 13:20:46 GMT

Hi @AL3Z,

so what's the issue with the above search and subsearch?

ciao.

Giuseppe

Re: return command is not giving desired result

AL3Z — Tue, 18 Jul 2023 10:45:26 GMT

In the sub search we need to use the return 1000 or not ?

Re: return command is not giving desired result

gcusello — Tue, 18 Jul 2023 12:01:35 GMT

Hi @AL3Z,

I usually don't use it, but if, in you case, the search runs only with return, use it!

Ciao.

Giuseppe