topic How can I give source string dynamically in COLLECT command? in Splunk Search

How can I give source string dynamically in COLLECT command?

tac24 — Thu, 12 Jul 2018 06:23:16 GMT

I want to extract a value dynamically in a subsearch and give the value (string) to source= << string>> of COLLECT command. The following example is extracting YYYYMMDD from the source field and making "src_yyyymmdd" string that will be given to source=<< string>> of the COLLECT command.

    main search... | collect index="ABC" source=[search index="XYZ" 
        |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
        | eval fieldval="\""+"src_"+YYYYMMDD+"\""  
        | table source YYYYMMDD fieldval
        | return $fieldval]

When I checked the above subsearch as a main search, every field value after table command was what I expected.

Unfortunately, the result was Error in 'collect' command: Invalid argument: 'src_20180705'

Could someone tell me why this happens and how to solve this problem?

Thanks.

Re: How can I give source string dynamically in COLLECT command?

poete — Mon, 16 Jul 2018 06:20:44 GMT

Hello @tac24,

the documentation states : Syntax: source= (from http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect).

It seems that you have the same problem as this one : https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html

So, this should do :

main search... | collect index="ABC" source=[search index="XYZ" 
         |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
         | eval val="src_".YYYYMMDD
         | eval fieldval="\"".val."\""
         | table source YYYYMMDD fieldval
         | return $fieldval]

Re: How can I give source string dynamically in COLLECT command?

niketn — Mon, 16 Jul 2018 06:37:59 GMT

@tac24 can you not override the source field even before the collect command with the value you need?

| eval source= [<yourQueryToGetNewSource>]
| collect <yourCommandArguments>