Splunk Search

## subsearch result as source

Engager

I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>

I think that a sub search is the best option because the source name is going to change weekly.

This is my sub search that returns one result with the file name

index=foo
| stats latest(source) AS SourceName
| return $SourceName This is the search that I am trying to use: index= foo | eval source=[search index=foo | stats latest(source) AS SN | return$SN ]

But I am getting this error:  Error in 'eval' command: The expression is malformed.

I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings  to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.

Labels (2)

• ### subsearch

1 Solution
SplunkTrust

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
[ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote is appreciated.
SplunkTrust

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
[ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote is appreciated.
Path Finder

That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂

Path Finder

How about this? I don't have a windows machine to try but it works on test data:

index=foo
[ | tstats latest(source) as source where index=foo ]

SplunkTrust

Start by running the subsearch by itself to verify the result is reasonably correct as a source name.

Once you have that working, I agree you'll likely run into problems with backslashes.  Regrettably, I don't have a working method to escape backslashes because they're also the escape character.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

#### How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

#### Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

#### Observability Highlights | November 2022 Newsletter

November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...