Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

subsearch result as source

mpartee
Engager
‎08-13-2021 01:59 PM

 I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>

I think that a sub search is the best option because the source name is going to change weekly. 

This is my sub search that returns one result with the file name

index=foo
| stats latest(source) AS SourceName
| return $SourceName

This is the search that I am trying to use:

index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]

But I am getting this error:  Error in 'eval' command: The expression is malformed.

I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings  to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎08-14-2021 06:05 AM

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ]
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎08-14-2021 06:05 AM

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ]
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

terminaloutcome
Path Finder
‎08-14-2021 06:10 AM

That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂

0 Karma
Reply
Solved! Jump to solution

terminaloutcome
Path Finder
‎08-14-2021 05:57 AM

How about this? I don't have a windows machine to try but it works on test data:

index=foo
  [ | tstats latest(source) as source where index=foo ] 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2021 05:47 PM

Start by running the subsearch by itself to verify the result is reasonably correct as a source name.

Once you have that working, I agree you'll likely run into problems with backslashes.  Regrettably, I don't have a working method to escape backslashes because they're also the escape character.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...