nano SIEM
Search Commands

return

return

Return specific field values from a subsearch. Used to pass values to the main search.

Description

The return command extracts specific field values from subsearch results and returns them to the main search. This is useful for dynamic filtering where you want to use subsearch results as filter criteria.

Syntax

... | return [<count>] <field> [, <field> ...]

Optional Arguments

count
Syntax: <int>
Description: Number of values to return
Default: All values

field
One or more fields to return values from.

Examples

Return single field

[search action=suspicious | return src_ip]

Returns list of suspicious IPs to use in main search.

Return multiple fields

[search threat_level="high" | return file_hash, domain]

Limit returned values

[search action=failed_login | return 100 src_ip]

Returns up to 100 IPs.

* | where src_ip IN [search action=suspicious | return src_ip]

Return for filtering

action=file_access 
| where file_hash IN [search source_type="threat_intel" | return file_hash]

Dynamic user list

* | where user IN [search department="finance" | return user]

Usage Notes

Subsearch utility: Used to pass values from subsearch to main search.

IN operator: Often used with IN operator for filtering.

Performance: Limit returned values to improve performance.

Alternative: Consider join or lookup for more complex enrichment.

  • format - Format subsearch results
  • append - Append subsearch results
  • join - Join with subsearch
  • where - Filter using returned values

resolve_identity

Previous Page

reverse

Next Page

Edit this page on GitHub
On this page

On this page

return
Description
Syntax
Optional Arguments
Examples
Return single field
Return multiple fields
Limit returned values
Use in main search
Return for filtering
Dynamic user list
Usage Notes
Related Commands