Splunk Search

How can I give source string dynamically in COLLECT command?

tac24
New Member

I want to extract a value dynamically in a subsearch and give the value (string) to source= << string>> of COLLECT command. The following example is extracting YYYYMMDD from the source field and making "src_yyyymmdd" string that will be given to source=<< string>> of the COLLECT command.

    main search... | collect index="ABC" source=[search index="XYZ" 
        |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
        | eval fieldval="\""+"src_"+YYYYMMDD+"\""  
        | table source YYYYMMDD fieldval
        | return $fieldval]

When I checked the above subsearch as a main search, every field value after table command was what I expected.

alt text

Unfortunately, the result was Error in 'collect' command: Invalid argument: 'src_20180705'

Could someone tell me why this happens and how to solve this problem?

Thanks.

0 Karma

niketn
Legend

@tac24 can you not override the source field even before the collect command with the value you need?

| eval source= [<yourQueryToGetNewSource>]
| collect <yourCommandArguments>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

poete
Builder

Hello @tac24,

the documentation states : Syntax: source= (from http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect).

It seems that you have the same problem as this one : https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html

So, this should do :

main search... | collect index="ABC" source=[search index="XYZ" 
         |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
         | eval val="src_".YYYYMMDD
         | eval fieldval="\"".val."\""
         | table source YYYYMMDD fieldval
         | return $fieldval]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...