https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266880#M80275 <P>The quotes in delims=" " may need to be escaped.</P> Wed, 01 Feb 2017 21:58:35 GMT DalJeanis 2017-02-01T21:58:35Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266879#M80274 <P>If I do this search</P> <PRE><CODE> index=log NOT "*INFO*" earliest=-40d@d latest=-39d@d | cluster t=0.3 field=raw showcount=t labelonly=false delims=" " | eval old_label=cluster_label | eventstats sum(cluster_count) as total_events | eval Freq_Baseline=cluster_count/total_events | fields _time, raw, old_label, cluster_count, Freq_Baseline, total_events | collect index=clusters </CODE></PRE> <P>Everything gets collected in index=clusters</P> <P>BUT if I include this in a map,</P> <PRE><CODE>index=is_log | head 1 | streamstats count as latest | eval latest = 40 | eval earliest=latest + 1 | eval earliest= tostring(-earliest) + "d@d" | eval latest= tostring(-latest) + "d@d" | map maxsearches=35 search="search index=is_log NOT "*INFO*" earliest=$earliest$ latest=$latest$ | cluster t=0.3 field=raw showcount=t labelonly=false delims=" " | eval old_label=cluster_label | eventstats sum(cluster_count) as total_events | eval Freq_Baseline=cluster_count/total_events | fields _time, raw, old_label, cluster_count, Freq_Baseline, total_events | collect index=clusters" </CODE></PRE> <P>Then nothing is collected in the index, although the same results show up on the screen</P> Wed, 01 Feb 2017 15:21:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266879#M80274 TiagoTLD1 2017-02-01T15:21:17Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266880#M80275 <P>The quotes in delims=" " may need to be escaped.</P> Wed, 01 Feb 2017 21:58:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266880#M80275 DalJeanis 2017-02-01T21:58:35Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266881#M80276 <P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 02 Feb 2017 10:19:05 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266881#M80276 TiagoTLD1 2017-02-02T10:19:05Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266882#M80277 <P>The above command was really helpful so what if want to move source of data to other index without changing values to stash.</P> Wed, 10 May 2017 00:02:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-collect-command-not-working-when-used-with-map/m-p/266882#M80277 rvanteru 2017-05-10T00:02:54Z