Alerting

How to populate a summary index created with alerts that have the collect option on them?

borja_luaces
New Member

Good morning all,

First of all, I have to say that this question may have been already answered but I have not been able to find a reply that fits with what I am looking for.

I got a set of rules that run on real-time where last field in the rules is "| collect ". At the same time I have created the index via the index cluster and deploy it to the indexers and checked that the index exists in our indexers.

The thing is that when I make the rules trigger I do not see the event being generated at the destination index but I do see it at the triggered alerts view.

How can I populate the summary index I created with the alerts that have the collect option on them?

Regards.

0 Karma

adonio
Ultra Champion

why use collect for this? why use real time is another story, but regardless, when saving your alert, under your alert actions, just add "log event" and specify the index

hope it helps

0 Karma

dto20
New Member

But "log event" only works if you have the index on the search heads. What do you do if your summary index is on an index cluster?

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...