how to read a return value

smolcj · ‎11-05-2012

hi,
if we are using a return command in a subsearch. how can we read the output of the search.
for ex:
if the search is like:
index=newindex source=filename.txt| return $PC_Rename |fields PC_Rename

how can we read the output of this search.PC_Rename consists of only one value , i just want t display the value in it.

please help 😞
thankyou for your time

Ayn · ‎11-05-2012

Have a look at the format command. It lets you define in which format subsearch results are returned, so you can define a format that is suitable for using with eval for instance if you want to write the value to a variable that you then use for showing somewhere like a SingleValue module.

Ayn · ‎11-06-2012

Yes? What does the number of arguments have to do with it? I don't see how using format would not be the way forward.

smolcj · ‎11-05-2012

Thanks Ayn for your response, but when i look into format command, it needs 6 args, but i just want to read the value returned by my search in a variable and i want to display it in another dashboard or form using that variable. i am stuck with reading the returned value.

how to read a return value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

how to read a return value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!