Hi All,
To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A | fields test | return $test], rather than returning test=B or test=C, this will only return "B" and "C".
If I create a search like: index=A inputlookup lookup.csv | return $test, is there any way to only return the value in the inputlookup "B" and not test=B. Or if there are any other ways to do this?
Thanks
Use query.
index=A [inputlookup lookup.csv | rename test as query]
Thanks for that, it works great. Would you be able to explain what renaming to query does?
It is described in the manual.
https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults
Only the first one
index = * [inputlookup xxx.csv | fields col_a | rename col_a as search]
-> index = * "AA"
In case of all cases
index = * [inputlookup xxx.csv | fields col_a | rename col_a as query]
-> index = * ("AA" OR "CC")