All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where does collect command indexes its result?

thambisetty
SplunkTrust
SplunkTrust
‎07-25-2018 10:35 AM

Hi Splunkers,

I am trying to understand where collect command indexes its result. collect command in the document says "Adds the results of a search to a summary index that you specify". If its adding results to summary index then there should be summary folder created under $SPLUNK_HOME/var/lib/index_specified_in_collect_command. I don't see one created under index but I am still able to search the data using the index. I am wondering collect command is writing data to db folder?

————————————
If this helps, give a like below.
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-25-2018 11:03 AM

The "summary" in summary indexing refers to type of data (usually summarized result for a search), but it's actually stored as any other monitored data that comes to Splunk. The "summary directory in the index folder ($SPLUNK_HOME/var/lib/index_specified_in_collect_command) is for saving report acceleration results, not the actual summary index data. (See the link below).

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Manageacceleratedsearchsummaries#Where_r...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-25-2018 11:03 AM

The "summary" in summary indexing refers to type of data (usually summarized result for a search), but it's actually stored as any other monitored data that comes to Splunk. The "summary directory in the index folder ($SPLUNK_HOME/var/lib/index_specified_in_collect_command) is for saving report acceleration results, not the actual summary index data. (See the link below).

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Manageacceleratedsearchsummaries#Where_r...

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎07-25-2018 11:28 AM

Thank you. I had forgotten this.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎07-25-2018 10:52 AM

I could see the number of events which I have collected and indexed using collect command in hot db using dbinspect command, this is confirmed based on the sourceCount and eventCount. This means events are written to db folder?

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...