How can I give source string dynamically in COLLEC...

tac24 · ‎07-11-2018

I want to extract a value dynamically in a subsearch and give the value (string) to source= << string>> of COLLECT command. The following example is extracting YYYYMMDD from the source field and making "src_yyyymmdd" string that will be given to source=<< string>> of the COLLECT command.

    main search... | collect index="ABC" source=[search index="XYZ" 
        |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
        | eval fieldval="\""+"src_"+YYYYMMDD+"\""  
        | table source YYYYMMDD fieldval
        | return $fieldval]

When I checked the above subsearch as a main search, every field value after table command was what I expected.

Unfortunately, the result was Error in 'collect' command: Invalid argument: 'src_20180705'

Could someone tell me why this happens and how to solve this problem?

Thanks.

niketn · ‎07-15-2018

@tac24 can you not override the source field even before the collect command with the value you need?

| eval source= [<yourQueryToGetNewSource>]
| collect <yourCommandArguments>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

poete · ‎07-15-2018

Hello @tac24,

the documentation states : Syntax: source= (from http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect).

It seems that you have the same problem as this one : https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html

So, this should do :

main search... | collect index="ABC" source=[search index="XYZ" 
         |head 1 | rex field=source "^FILENAME_(?<YYYYMMDD>\d{8})_.*"
         | eval val="src_".YYYYMMDD
         | eval fieldval="\"".val."\""
         | table source YYYYMMDD fieldval
         | return $fieldval]

How can I give source string dynamically in COLLECT command?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes