I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>
I think that a sub search is the best option because the source name is going to change weekly.
This is my sub search that returns one result with the file name
index=foo
| stats latest(source) AS SourceName
| return $SourceName
This is the search that I am trying to use:
index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]
But I am getting this error: Error in 'eval' command: The expression is malformed.
I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.
Hi @mpartee,
Correction to @terminaloutcome solution, below should work for you;
index=foo
[ | tstats latest(source) as source where index=foo | fields source ]
Hi @mpartee,
Correction to @terminaloutcome solution, below should work for you;
index=foo
[ | tstats latest(source) as source where index=foo | fields source ]
That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂
How about this? I don't have a windows machine to try but it works on test data:
index=foo
[ | tstats latest(source) as source where index=foo ]
Start by running the subsearch by itself to verify the result is reasonably correct as a source name.
Once you have that working, I agree you'll likely run into problems with backslashes. Regrettably, I don't have a working method to escape backslashes because they're also the escape character.