- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wills2g
New Member
06-25-2018
10:06 PM
Hi All,
To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A | fields test | return $test], rather than returning test=B or test=C, this will only return "B" and "C".
If I create a search like: index=A inputlookup lookup.csv | return $test, is there any way to only return the value in the inputlookup "B" and not test=B. Or if there are any other ways to do this?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
06-25-2018
10:32 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
06-25-2018
10:32 PM
Use query.
index=A [inputlookup lookup.csv | rename test as query]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wills2g
New Member
06-26-2018
04:15 PM
Thanks for that, it works great. Would you be able to explain what renaming to query does?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
06-26-2018
05:46 PM
It is described in the manual.
https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults
Only the first one
index = * [inputlookup xxx.csv | fields col_a | rename col_a as search]
-> index = * "AA"
In case of all cases
index = * [inputlookup xxx.csv | fields col_a | rename col_a as query]
-> index = * ("AA" OR "CC")
