how to read a return value

smolcj · ‎11-05-2012

hi,
if we are using a return command in a subsearch. how can we read the output of the search.
for ex:
if the search is like:
index=newindex source=filename.txt| return $PC_Rename |fields PC_Rename

how can we read the output of this search.PC_Rename consists of only one value , i just want t display the value in it.

please help 😞
thankyou for your time

Ayn · ‎11-05-2012

Have a look at the format command. It lets you define in which format subsearch results are returned, so you can define a format that is suitable for using with eval for instance if you want to write the value to a variable that you then use for showing somewhere like a SingleValue module.

Ayn · ‎11-06-2012

Yes? What does the number of arguments have to do with it? I don't see how using format would not be the way forward.

smolcj · ‎11-05-2012

Thanks Ayn for your response, but when i look into format command, it needs 6 args, but i just want to read the value returned by my search in a variable and i want to display it in another dashboard or form using that variable. i am stuck with reading the returned value.

how to read a return value

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!