we return the value of ‘ip’ field only in the search field.Įxample 5: index="sample_set" sourcetype=access_combined_wcookie action=view status=200 | return 3 ip JSESSIONID
Here also as you can see everything’s the same as earlier but the only change is with the “return” command. You can alter as per the requirement of your primary search.Įxample 4: index="sample_set" sourcetype=access_combined_wcookie action=view status=200 | top ip | return $ip we return the value of ‘ip’ field in an alias named as “client_ip”. You can also know about : SENDRESULTS Command In SplunkĮxample 3: index="sample_set" sourcetype=access_combined_wcookie action=purchase status=200 | top ip | return client_ip=ipĪs you can see everything is the same as earlier but the only change is with “return” command. Now this time we are using |return 10, to get 10 ip values in the search field. we want to see who viewed our product most), and then using top command we bring the most viewed ip’s and last we used return command to return our result. Then we have added two filters “action=view” and “status=200” (i.e. Here we took data from the “sample_set” index and “access_combined_wcookie” sourcetype,which consist of data related to an online merchant site. By using the return command it only brings one column, which consists of the “ip” value.Įxample 2: index="sample_set" sourcetype=access_combined_wcookie action=view status=200 |top ip |return 10 ip As we can see that it brings the result in the form of a field value pair (i.e. By default return command use “|head 1” to return the 1st value. $ – Name of the fields to return with “$” sign, you can mention more than one field name separated by spaces.Īt first we will see how the “return” command returns the result, then we will use that query as a sub search within a primary search and will try to understand the function.Įxample 1: index="sample_set" sourcetype=access_combined_wcookie action=view status=200 |top ip |return ip – Name of the fields to return, you can mention more than one field name separated by spaces. = – Mention field alias and field name of values to be returned, you can mention more than one = pair separated by spaces.
– Number of results you want to return (default is 1) The return command automatically limits the number of incoming events with the “head” command and the resulting fields with the “fields” command. Generally it’s a procedure of adding condition dynamically to your main search. A sub search looks for a single piece of information that is then added as a criteria, to the main search. “Sub search” in Splunk – A sub search is a search within a primary search. Without specifying a 'left' join type say if there was a customer value 4, you would not have got any returns from the sub search even if there was a customer with value 4 in the sub search.īTW - Consider using stats, count, or appendcols and join as a last resort“Return” command basically returns the result from the sub search to your main search. The reason your query is working is because you have same values for customer in both searches. You however need the inner / outer join in case you want common fields. So probably what you need is - index=primary | join type=left Customer max=0 | table Customer Spend The results of a left (or outer) join includes all of the events in the main search and only those values in the subsearch have matching field values.ĭescription: Specifies the maximum number of subsearch results that each main search result can join with. The results of an inner join do not include events from the main search that have no matches in the subsearch. In both inner and left joins, events that match are joined. The difference between an inner and a left (or outer) join is how the events are treated in the main search that do not match any of the events in the subsearch. Hi - Firstly if you do not specifically specify the join type its takes default as inner - from splunk join documentation 'Syntax: type=inner | outer | leftĭescription: Indicates the type of join to perform.
0 kommentar(er)
