Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How long it takes to insert data to index by collect?

stavakler
Explorer
‎02-17-2022 01:56 AM

Hi, 
I did an alert that should run every day at the same time, at the end of the alert I used "collect" -> 

 

 

| collect index="index_name"

 

 

 

 every day the job is running (it takes 1~ min) but I don't see the new events after the job is finished... 
how long is it supposed to take until I will see it on the index? 
 this is the search I do (with filter last 24h)  ->

 

 

 

index="index_name"

 

 

 

 

Labels (1)
Labels
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2022 02:48 AM

The events given to the collect command are written to splunk's spool directory to be indexed. Check whether there are any holds up in this process. The internal log for any errors or warnings in this area.

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 04:54 AM

what is that? 
where can I see this directory? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 02:02 AM

Hi @stavakler,

Could you better describe your need?

it seems that

  • you have a scheduled search (an alert) that, every time have results, writes the results in a summary index called "index_name",
  • then you would find events in the summary inded but you haven't,

is it correct?

Could you share your full search?

Ciao.

Giuseppe

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 02:12 AM

exactly, It seems that it takes hours until the events show on the summary index...
I can't share the full search, but eventually, I do 

 | table field1, field2, field3 | collect="Index_name"


and after the job finished I tried to find the new events on the index but the search returned 0 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 02:16 AM

Hi @stavakler,

you can check your alert manually running your search and checking if you have results.

If you usually don't have results, you could enlarge the time period or changing (only for test) your conditions to be sure to have results.

Then you can check if the results are in the summary index (that obviously must exist!).

Ciao.

Giuseppe

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 02:26 AM

I do have results... 

stavakler_0-1645093648853.png

 

stavakler_1-1645093607303.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 02:32 AM

Hi @stavakler,

sorry I didn't noted it in my first reading, the syntax of collect command is different

| collect index="Index_name"

as you can see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/collect

then you can search

index="Index_name"

and find the events.

Ciao.

Giuseppe

 

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 04:47 AM

This is not the problem... I wrote exactly as said on their page 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 05:07 AM

Hi @stavakler,

what does it happen using my hint?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...