_return is a query directive used to sort the result set.
_return is a directive used to execute playbook and return the result of the query execution mentioned inside the playbook along with the original stack of data as the result in the Search tab.
Take a look at the example given below:
_fetch * from event where $Duration=2d limit 1 >>_return bug_testing test_playbook123
1. The _fetch query directive retrieves all fields for each event in the event index where $Duration is 2 days. It is then limited to 1 row. The output is as shown below:
2. In the pipelined query, the _return directive uses the package name bug_testing and playbook name test_playbook123. The output is as shown below:
The _return directive allows you to:
- Execute playbook which is having status as EXECUTABLE.
- Blocking and non-blocking calls to playbook entities. Entities include widgets, workbook, report, module, template email, etc.
- The execution of the playbook returns the original stack of data as the result.
- It also returns the result of the query execution mentioned inside the playbook.
The generic syntax of the _return directive is as shown below:
_return <package_slug> <playbook_slug>
package_slug: slug name of the package
playbook_slug: slug name of the playbook
NOTE: The _return directive is available only on latest DNIF version 8.7.0