Getting Data In

Can I use the collect command to write metrics data to a metrics index?

andrewtrobec
Motivator

Hello,

I am using Splunk Enterprise 7.3.2. and I have structured event data within an events index that I am trying to convert into metrics data so that I can store it in a metrics index.  I am basing my analysis on the following topic: Get metrics in from other sources.

I've managed to create a search that converts my event data into the format that is required by the metrics_csv sourcetype, after which I run the collect command to push the data:

| collect index="metrics_index" sourcetype="metrics_csv"

One thing to note is that when I rename my metric value field to _value, the field disappears from the statistics table.

Once the search has completed I am unable to access that data using mstats and mcatalog commands on the metrics index.

Is what I am trying to do possible?

To test whether the format was correct I exported the search results and indexed them by hand.  This worked.

Thank you and best regards,

Andrew

Labels (4)
0 Karma
1 Solution

ccl0utier
Splunk Employee
Splunk Employee

The collect command is used to send data to a summary index, not a metrics index.

Have a look at the mcollect and meventcollect commands.  They can be used to send event data to a metrics index.

View solution in original post

andrewtrobec
Motivator

yeeeeeeeeeeeeeeeeeees!

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

The collect command is used to send data to a summary index, not a metrics index.

Have a look at the mcollect and meventcollect commands.  They can be used to send event data to a metrics index.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...