Solved: Can I use the collect command to write metrics dat...

andrewtrobec · ‎09-30-2020

Hello,

I am using Splunk Enterprise 7.3.2. and I have structured event data within an events index that I am trying to convert into metrics data so that I can store it in a metrics index. I am basing my analysis on the following topic: Get metrics in from other sources.

I've managed to create a search that converts my event data into the format that is required by the metrics_csv sourcetype, after which I run the collect command to push the data:

| collect index="metrics_index" sourcetype="metrics_csv"

One thing to note is that when I rename my metric value field to _value, the field disappears from the statistics table.

Once the search has completed I am unable to access that data using mstats and mcatalog commands on the metrics index.

Is what I am trying to do possible?

To test whether the format was correct I exported the search results and indexed them by hand. This worked.

Thank you and best regards,

Andrew

ccl0utier · ‎09-30-2020

The collect command is used to send data to a summary index, not a metrics index.

Have a look at the mcollect and meventcollect commands. They can be used to send event data to a metrics index.

View solution in original post

andrewtrobec · ‎09-30-2020

yeeeeeeeeeeeeeeeeeees!

ccl0utier · ‎09-30-2020

The collect command is used to send data to a summary index, not a metrics index.

Have a look at the mcollect and meventcollect commands. They can be used to send event data to a metrics index.

Can I use the collect command to write metrics data to a metrics index?

index

other

sourcetype

time

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...