Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

subsearch result as source

mpartee
Engager
‎08-13-2021 01:59 PM

 I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>

I think that a sub search is the best option because the source name is going to change weekly. 

This is my sub search that returns one result with the file name

index=foo
| stats latest(source) AS SourceName
| return $SourceName

This is the search that I am trying to use:

index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]

But I am getting this error:  Error in 'eval' command: The expression is malformed.

I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings  to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎08-14-2021 06:05 AM

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ]
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎08-14-2021 06:05 AM

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ]
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

terminaloutcome
Path Finder
‎08-14-2021 06:10 AM

That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂

0 Karma
Reply
Solved! Jump to solution

terminaloutcome
Path Finder
‎08-14-2021 05:57 AM

How about this? I don't have a windows machine to try but it works on test data:

index=foo
  [ | tstats latest(source) as source where index=foo ] 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2021 05:47 PM

Start by running the subsearch by itself to verify the result is reasonably correct as a source name.

Once you have that working, I agree you'll likely run into problems with backslashes.  Regrettably, I don't have a working method to escape backslashes because they're also the escape character.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...