Splunk Search

subsearch result as source

mpartee
Engager

 I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>

I think that a sub search is the best option because the source name is going to change weekly. 

This is my sub search that returns one result with the file name

index=foo
| stats latest(source) AS SourceName
| return $SourceName

This is the search that I am trying to use:

index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]

But I am getting this error:  Error in 'eval' command: The expression is malformed.

I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings  to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.

 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote is appreciated.

terminaloutcome
Path Finder

That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂

0 Karma

terminaloutcome
Path Finder

How about this? I don't have a windows machine to try but it works on test data:

index=foo
  [ | tstats latest(source) as source where index=foo ] 

richgalloway
SplunkTrust
SplunkTrust

Start by running the subsearch by itself to verify the result is reasonably correct as a source name.

Once you have that working, I agree you'll likely run into problems with backslashes.  Regrettably, I don't have a working method to escape backslashes because they're also the escape character.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...