All Apps and Add-ons

Where does collect command indexes its result?

thambisetty
SplunkTrust
SplunkTrust

Hi Splunkers,

I am trying to understand where collect command indexes its result. collect command in the document says "Adds the results of a search to a summary index that you specify". If its adding results to summary index then there should be summary folder created under $SPLUNK_HOME/var/lib/index_specified_in_collect_command. I don't see one created under index but I am still able to search the data using the index. I am wondering collect command is writing data to db folder?

————————————
If this helps, give a like below.
Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

The "summary" in summary indexing refers to type of data (usually summarized result for a search), but it's actually stored as any other monitored data that comes to Splunk. The "summary directory in the index folder ($SPLUNK_HOME/var/lib/index_specified_in_collect_command) is for saving report acceleration results, not the actual summary index data. (See the link below).

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Manageacceleratedsearchsummaries#Where_r...

View solution in original post

0 Karma

somesoni2
Revered Legend

The "summary" in summary indexing refers to type of data (usually summarized result for a search), but it's actually stored as any other monitored data that comes to Splunk. The "summary directory in the index folder ($SPLUNK_HOME/var/lib/index_specified_in_collect_command) is for saving report acceleration results, not the actual summary index data. (See the link below).

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Manageacceleratedsearchsummaries#Where_r...

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Thank you. I had forgotten this.

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

I could see the number of events which I have collected and indexed using collect command in hot db using dbinspect command, this is confirmed based on the sourceCount and eventCount. This means events are written to db folder?

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...