Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is return command not giving desired result?

AL3Z
Builder
‎07-16-2023 06:25 PM

Hi,

I'm trying to exclude list of sites from my search from lookup table its not working as expected,

base search

sub search

NOT

(
[| inputlookup instances.csv
| fields instance_id
| return 1000 instance_id])

 

If we use same below as a sub search in my main search it is not giving any events what could be the reason ? do we need to modify sub search ?

| inputlookup instances.csv | fields instance_id | return 1000 instance_id

 

output:

instance_id search

  (instance_id="xyz") OR (instance_id="abc.com") OR (instance_id="cpl.com") OR (instance_id="ipl.com") OR (instance_id="bcci.com") OR (instance_id="pca.com") OR (instance_id="eca.com") OR (instance_id="aca.com") OR (instance_id="nca.com") OR (instance_id="ica.com") OR (instance_id="bca.com")
Labels (1)
Labels
0 Karma
Reply

AL3Z
Builder
‎07-17-2023 04:08 AM

are you sure that in the main search the field is exactly named "instance_id"?      -----> yes

if not, rename it in the subsearch         --------------->    No

If we use <your_search>  [ | inputlookup instances.csv | fields instance_id ] its not filtering events.

Using [ | inputlookup instances.csv | fields instance_id | return 1000 instance_id]  its filtering all the events. 

in my scenario we are using NOT to excludes these instances from my search.

 

Thanks..

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 04:12 AM

Hi @AL3Z ,

I understood the you need the NOT condition, but it was only for debugging!

For my knowledge it should run without return, but with return have you the required filtering or not?

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-17-2023 06:06 AM

yup,with return we do have  required filtering.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 06:20 AM

Hi @AL3Z,

so what's the issue with the above search and subsearch?

ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-18-2023 03:45 AM

In the sub search we need to use the return 1000 or not ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 05:01 AM

Hi @AL3Z,

I usually don't use it, but if, in you case, the search runs only with return, use it!

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-17-2023 02:23 AM

yes, no its working if I put  | return 1000 instance_id

thanks...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:30 AM

Hi @AL3Z,

I usually not use return in subsearches without issue, with the only attention to use the field name in main and sub searches!

what do you mean with " no its working if I put  | return 1000 instance_id"?

does it filter results or not?

what's the difference using also returns?

What does it happen if you don't use NOT, have you results?

Usually the problem is the opposite: it runs without negation and runs with NOT.

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-17-2023 02:14 AM

It is not working...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:17 AM

Hi @AL3Z ,

are you sure that in the main search the field is exactly named "instance_id"?

if not, rename it in the subsearch

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-16-2023 10:48 PM

Hi @AL3Z,

did you already tried an easier solution?

<your_search> NOT [ | inputlookup instances.csv | fields instance_id ]

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...