Subsearch only returns 1 value

Thuan · ‎05-14-2014

The search below produces multiple values for c_ip

index=proxy*
| fields c_ip s_op d_ip r_host d_port cs_bytes cs_uri referer c_agent
| lookup RedSkyIOCip-Proxy Indicator AS d_ip OUTPUT Source ReferenceAttribution
| search Source=RedSkyIOC
| table _time c_ip d_ip Source ReferenceAttribution cs_uri referer c_agent

When it is modified to become a subsearch as below, the subsearch only returns 1 value for c_ip. What is not working?

richgalloway · ‎05-14-2014

The return command defaults to returning a single value. Try replacing it with a field command.

---
If this reply helps you, Karma would be appreciated.

Subsearch only returns 1 value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation

Subsearch only returns 1 value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition