_return


_return is a query directive used to sort the result set.

Overview

_return is a directive used to execute playbook and return the result of the query execution mentioned inside the playbook along with the original stack of data as the result in the Search tab.

Example

Take a look at the example given below:

_fetch * from event where $Duration=2d limit 1
>>_return bug_testing test_playbook123

Here:

1. The _fetch query directive retrieves all fields for each event in the event index where $Duration is 2 days. It is then limited to 1 row. The output is as shown below:

resultset of the fetch query function

2. In the pipelined query, the _return directive uses the package name bug_testing and playbook name test_playbook123. The output is as shown below:

resultset of the fetch query function

The _return directive allows you to:

  • Execute playbook which is having status as EXECUTABLE.
  • Blocking and non-blocking calls to playbook entities. Entities include widgets, workbook, report, module, template email, etc.
  • The execution of the playbook returns the original stack of data as the result.
  • It also returns the result of the query execution mentioned inside the playbook.

Syntax

The generic syntax of the _return directive is as shown below:

_return <package_slug> <playbook_slug>

Here,

package_slug: slug name of the package

playbook_slug: slug name of the playbook

NOTE: The _return directive is available only on latest DNIF version 8.7.0