topic Results from Collect command not writing to index? in Splunk Search

Results from Collect command not writing to index?

Aroot002 — Fri, 17 Feb 2023 21:46:04 GMT

Hi everyone,

I recently took over a project by someone who is no longer with my employer. He made several scheduled searches that write to an index, and it was working great. However last month out of nowhere it just stopped working. Supposedly no changes were made.

The other searches are working, it's just this one. The search runs just fine, gets the expected results, but the results aren't being exported to the index.

I actually found another post on here with someone who looked to have the same problem, but it wasn't successfully answered.

Another post suggested that a forwarder might be a solution. Does that seem right? I'd rather avoid that solution as I don't want to be installing apps on this environment, but if necessary I will get the permission. Just want to make sure that's a probable solution before doing so.

Re: Results from Collect command not writing to index?

gcusello — Sat, 18 Feb 2023 07:26:36 GMT

Hi @Aroot002,

I suppose that you manually checked the scheduled search, but you checked it in the same time windows of the scheduled search?, in other words, if you search must run at 01.00 and there'a a condition earliest=now, you cannot check it at a different time, so try it again using the same time frame of the scheduled search.

Ciao.

Giuseppe

Re: Results from Collect command not writing to index?

Aroot002 — Mon, 20 Feb 2023 16:27:38 GMT

My earliest is 45 days ago and my latest is the current hour, as it is a scheduled hourly search. Results look exactly as they should but are not being written to the index.

Even so, if I run the search manually shouldn't the results of that search be written to the index? That's not happening.

Re: Results from Collect command not writing to index?

gcusello — Mon, 20 Feb 2023 17:11:06 GMT

Hi @Aroot002 ,

if the collect command is at the end of your scheduled search, also manually running it results are written in the summary index.

Ciao.

Giuseppe

Re: Results from Collect command not writing to index?

Aroot002 — Mon, 20 Feb 2023 18:49:36 GMT

Yes, the last line is

| collect index=indexname source=sourcename

But when I run simply

index=indexname

after running that search, those results don't show up. Everything was working fine until one day in January when it just stopped writting results to the index.

Re: Results from Collect command not writing to index?

Aroot002 — Mon, 20 Feb 2023 20:51:08 GMT

Figured it out, needed to add an eval column with the current time to match with the live results

Re: Results from Collect command not writing to index?

gcusello — Tue, 21 Feb 2023 07:25:17 GMT

Hi @Aroot002,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Results from Collect command not writing to index?

Seawheels51 — Fri, 10 Jan 2025 21:58:31 GMT

Collect is very time sensitive and as @gcusello pointed out. My search and collect writing to index was working. I changed the _time=now() to use a now time 14 eval statements earlier in the search and it stopped writing to the index. After viewing this thread, I changed it back to these final three lines in search and now successfully writing the results to index every time:

| eval now=now() | eval _time=now | collect index=index output_format=raw spool=true source=yourSource sourcetype=stash