Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How long it takes to insert data to index by collect?

stavakler
Explorer
‎02-17-2022 01:56 AM

Hi, 
I did an alert that should run every day at the same time, at the end of the alert I used "collect" -> 

 

 

| collect index="index_name"

 

 

 

 every day the job is running (it takes 1~ min) but I don't see the new events after the job is finished... 
how long is it supposed to take until I will see it on the index? 
 this is the search I do (with filter last 24h)  ->

 

 

 

index="index_name"

 

 

 

 

Labels (1)
Labels
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2022 02:48 AM

The events given to the collect command are written to splunk's spool directory to be indexed. Check whether there are any holds up in this process. The internal log for any errors or warnings in this area.

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 04:54 AM

what is that? 
where can I see this directory? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 02:02 AM

Hi @stavakler,

Could you better describe your need?

it seems that

  • you have a scheduled search (an alert) that, every time have results, writes the results in a summary index called "index_name",
  • then you would find events in the summary inded but you haven't,

is it correct?

Could you share your full search?

Ciao.

Giuseppe

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 02:12 AM

exactly, It seems that it takes hours until the events show on the summary index...
I can't share the full search, but eventually, I do 

 | table field1, field2, field3 | collect="Index_name"


and after the job finished I tried to find the new events on the index but the search returned 0 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 02:16 AM

Hi @stavakler,

you can check your alert manually running your search and checking if you have results.

If you usually don't have results, you could enlarge the time period or changing (only for test) your conditions to be sure to have results.

Then you can check if the results are in the summary index (that obviously must exist!).

Ciao.

Giuseppe

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 02:26 AM

I do have results... 

stavakler_0-1645093648853.png

 

stavakler_1-1645093607303.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 02:32 AM

Hi @stavakler,

sorry I didn't noted it in my first reading, the syntax of collect command is different

| collect index="Index_name"

as you can see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/collect

then you can search

index="Index_name"

and find the events.

Ciao.

Giuseppe

 

0 Karma
Reply

stavakler
Explorer
‎02-17-2022 04:47 AM

This is not the problem... I wrote exactly as said on their page 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 05:07 AM

Hi @stavakler,

what does it happen using my hint?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...