All Apps and Add-ons

Where does collect command indexes its result?

thambisetty
SplunkTrust
SplunkTrust

Hi Splunkers,

I am trying to understand where collect command indexes its result. collect command in the document says "Adds the results of a search to a summary index that you specify". If its adding results to summary index then there should be summary folder created under $SPLUNK_HOME/var/lib/index_specified_in_collect_command. I don't see one created under index but I am still able to search the data using the index. I am wondering collect command is writing data to db folder?

————————————
If this helps, give a like below.
Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

The "summary" in summary indexing refers to type of data (usually summarized result for a search), but it's actually stored as any other monitored data that comes to Splunk. The "summary directory in the index folder ($SPLUNK_HOME/var/lib/index_specified_in_collect_command) is for saving report acceleration results, not the actual summary index data. (See the link below).

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Manageacceleratedsearchsummaries#Where_r...

View solution in original post

0 Karma

somesoni2
Revered Legend

The "summary" in summary indexing refers to type of data (usually summarized result for a search), but it's actually stored as any other monitored data that comes to Splunk. The "summary directory in the index folder ($SPLUNK_HOME/var/lib/index_specified_in_collect_command) is for saving report acceleration results, not the actual summary index data. (See the link below).

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Manageacceleratedsearchsummaries#Where_r...

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Thank you. I had forgotten this.

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

I could see the number of events which I have collected and indexed using collect command in hot db using dbinspect command, this is confirmed based on the sourceCount and eventCount. This means events are written to db folder?

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...