Splunk Search

subsearch result as source

mpartee
Engager

 I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>

I think that a sub search is the best option because the source name is going to change weekly. 

This is my sub search that returns one result with the file name

index=foo
| stats latest(source) AS SourceName
| return $SourceName

This is the search that I am trying to use:

index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]

But I am getting this error:  Error in 'eval' command: The expression is malformed.

I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings  to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.

 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote and "Accept as Solution" is appreciated.

terminaloutcome
Path Finder

That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂

0 Karma

terminaloutcome
Path Finder

How about this? I don't have a windows machine to try but it works on test data:

index=foo
  [ | tstats latest(source) as source where index=foo ] 

richgalloway
SplunkTrust
SplunkTrust

Start by running the subsearch by itself to verify the result is reasonably correct as a source name.

Once you have that working, I agree you'll likely run into problems with backslashes.  Regrettably, I don't have a working method to escape backslashes because they're also the escape character.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...