Splunk Search

subsearch result as source

mpartee
Engager

 I am trying to craft a search that uses the most recent source as the basis for my search. The source is a file path <C:\foo\bar.csv>

I think that a sub search is the best option because the source name is going to change weekly. 

This is my sub search that returns one result with the file name

index=foo
| stats latest(source) AS SourceName
| return $SourceName

This is the search that I am trying to use:

index= foo | eval source=[search index=foo | stats latest(source) AS SN | return $SN ]

But I am getting this error:  Error in 'eval' command: The expression is malformed.

I have tested it when using the file path instead of the sub search and it does work but there is one problem. I need to put the file path in quotes. I am thinking that things are breaking down because the file path has \'s in it. I tried to look into concatenating strings  to put the sub-search in quotes and I found the strcat command but that is looking for 2 fields instead of one.

 

Labels (2)
0 Karma
1 Solution

scelikok
Champion

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

Hi @mpartee,

Correction to @terminaloutcome solution, below should work for you;

index=foo
  [ | tstats latest(source) as source where index=foo | fields source ] 
If this reply helps you an upvote is appreciated.

View solution in original post

terminaloutcome
Explorer

That's curious, I don't need the explicit "| fields source" in multiple tests on my 8.2.x environment... I know I missed the "as source" in my original response, then quickly edited it 🙂

0 Karma

terminaloutcome
Explorer

How about this? I don't have a windows machine to try but it works on test data:

index=foo
  [ | tstats latest(source) as source where index=foo ] 

richgalloway
SplunkTrust
SplunkTrust

Start by running the subsearch by itself to verify the result is reasonably correct as a source name.

Once you have that working, I agree you'll likely run into problems with backslashes.  Regrettably, I don't have a working method to escape backslashes because they're also the escape character.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!