Sourcetype=WinEventLog:Security | return 2 user In most cases, using the return command at the end of a subsearch removes the need for head, fields, rename, format, and dedup. Multiple values can be specified and are placed within OR clauses. Each row is viewed as an OR clause, that is, output might be ' (ip=10.1.11.2) OR (ip=10.2.12.3)'. You can specify multiple rows, for example ' return 2 ip'. The command is convenient for outputting a field name, a alias-value pair, or just a field value.īy default, the return command uses only the first row of results. Syntax: Description: Specify one or more field values to return, separated by spaces. Description: Specify one or more fields to return, separated by spaces. You can specify multiple pairs of aliases and values, separated by spaces. Description: Specify the field alias and value to return. Default: 1, which is the first row of results passed into the command. Optional arguments Syntax: Description: Specify the number of rows. Use the count argument to specify the number of results to use. To improve performance, the return command automatically limits the number of incoming results with the head command and the resulting fields with the fields command.īy default, the return command uses only the first row of results. The command replaces the incoming events with one event, with one attribute: "search". The return command is used to pass values up from a subsearch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |