Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is return command not giving desired result?

AL3Z
Builder
‎07-16-2023 06:25 PM

Hi,

I'm trying to exclude list of sites from my search from lookup table its not working as expected,

base search

sub search

NOT

(
[| inputlookup instances.csv
| fields instance_id
| return 1000 instance_id])

 

If we use same below as a sub search in my main search it is not giving any events what could be the reason ? do we need to modify sub search ?

| inputlookup instances.csv | fields instance_id | return 1000 instance_id

 

output:

instance_id search

  (instance_id="xyz") OR (instance_id="abc.com") OR (instance_id="cpl.com") OR (instance_id="ipl.com") OR (instance_id="bcci.com") OR (instance_id="pca.com") OR (instance_id="eca.com") OR (instance_id="aca.com") OR (instance_id="nca.com") OR (instance_id="ica.com") OR (instance_id="bca.com")
Labels (1)
Labels
0 Karma
Reply

AL3Z
Builder
‎07-17-2023 04:08 AM

are you sure that in the main search the field is exactly named "instance_id"?      -----> yes

if not, rename it in the subsearch         --------------->    No

If we use <your_search>  [ | inputlookup instances.csv | fields instance_id ] its not filtering events.

Using [ | inputlookup instances.csv | fields instance_id | return 1000 instance_id]  its filtering all the events. 

in my scenario we are using NOT to excludes these instances from my search.

 

Thanks..

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 04:12 AM

Hi @AL3Z ,

I understood the you need the NOT condition, but it was only for debugging!

For my knowledge it should run without return, but with return have you the required filtering or not?

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-17-2023 06:06 AM

yup,with return we do have  required filtering.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 06:20 AM

Hi @AL3Z,

so what's the issue with the above search and subsearch?

ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-18-2023 03:45 AM

In the sub search we need to use the return 1000 or not ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2023 05:01 AM

Hi @AL3Z,

I usually don't use it, but if, in you case, the search runs only with return, use it!

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-17-2023 02:23 AM

yes, no its working if I put  | return 1000 instance_id

thanks...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:30 AM

Hi @AL3Z,

I usually not use return in subsearches without issue, with the only attention to use the field name in main and sub searches!

what do you mean with " no its working if I put  | return 1000 instance_id"?

does it filter results or not?

what's the difference using also returns?

What does it happen if you don't use NOT, have you results?

Usually the problem is the opposite: it runs without negation and runs with NOT.

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎07-17-2023 02:14 AM

It is not working...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:17 AM

Hi @AL3Z ,

are you sure that in the main search the field is exactly named "instance_id"?

if not, rename it in the subsearch

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-16-2023 10:48 PM

Hi @AL3Z,

did you already tried an easier solution?

<your_search> NOT [ | inputlookup instances.csv | fields instance_id ]

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...