Getting Data In

Can I use the collect command to write metrics data to a metrics index?

andrewtrobec
Builder

Hello,

I am using Splunk Enterprise 7.3.2. and I have structured event data within an events index that I am trying to convert into metrics data so that I can store it in a metrics index.  I am basing my analysis on the following topic: Get metrics in from other sources.

I've managed to create a search that converts my event data into the format that is required by the metrics_csv sourcetype, after which I run the collect command to push the data:

| collect index="metrics_index" sourcetype="metrics_csv"

One thing to note is that when I rename my metric value field to _value, the field disappears from the statistics table.

Once the search has completed I am unable to access that data using mstats and mcatalog commands on the metrics index.

Is what I am trying to do possible?

To test whether the format was correct I exported the search results and indexed them by hand.  This worked.

Thank you and best regards,

Andrew

Labels (4)
0 Karma
1 Solution

ccloutier_splun
Splunk Employee
Splunk Employee

The collect command is used to send data to a summary index, not a metrics index.

Have a look at the mcollect and meventcollect commands.  They can be used to send event data to a metrics index.

View solution in original post

andrewtrobec
Builder

yeeeeeeeeeeeeeeeeeees!

0 Karma

ccloutier_splun
Splunk Employee
Splunk Employee

The collect command is used to send data to a summary index, not a metrics index.

Have a look at the mcollect and meventcollect commands.  They can be used to send event data to a metrics index.

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!