https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563280#M196257 <P>That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 14 Aug 2021 13:10:30 GMT terminaloutcome 2021-08-14T13:10:30Z https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563256#M196245 <P>&nbsp;I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path &lt;<SPAN>C:\foo\bar.csv&gt;</SPAN></P><P>I think that a sub search is the best option because the source name is going to change weekly.&nbsp;</P><P>This is my sub search that returns one result with the file name</P><P>index=foo<BR />| stats latest(source) AS SourceName<BR />| return $SourceName</P><P>This is the search that I am trying to use:</P><P>index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]</P><P>But I am getting this error:&nbsp;&nbsp;<SPAN>Error in 'eval' command: The expression is malformed.</SPAN></P><P>I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings&nbsp; to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.</P><P>&nbsp;</P> Fri, 13 Aug 2021 20:59:32 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563256#M196245 mpartee 2021-08-13T20:59:32Z https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563265#M196250 <P>Start by running the subsearch by itself to verify the result is reasonably correct as a source name.</P><P>Once you have that working, I agree you'll likely run into problems with backslashes.&nbsp; Regrettably, I don't have a working method to escape backslashes because they're also the escape character.</P> Sat, 14 Aug 2021 00:47:44 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563265#M196250 richgalloway 2021-08-14T00:47:44Z https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563277#M196255 <P>How about this? I don't have a windows machine to try but it works on test data:</P><P><FONT face="courier new,courier">index=foo<BR />&nbsp; [&nbsp;|&nbsp;tstats latest(source) as source where index=foo&nbsp;]&nbsp;</FONT></P> Sat, 14 Aug 2021 12:57:48 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563277#M196255 terminaloutcome 2021-08-14T12:57:48Z https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563278#M196256 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233073">@mpartee</a>,</P><P>Correction to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/167526">@terminaloutcome</a>&nbsp;solution, below should work for you;</P><LI-CODE lang="markup">index=foo [ | tstats latest(source) as source where index=foo | fields source ] </LI-CODE> Sat, 14 Aug 2021 13:05:54 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563278#M196256 scelikok 2021-08-14T13:05:54Z https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563280#M196257 <P>That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 14 Aug 2021 13:10:30 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-result-as-source/m-p/563280#M196257 terminaloutcome 2021-08-14T13:10:30Z