Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing fields after collect command is ran on a search

arpit_arora
Explorer
‎03-13-2018 04:37 PM

Hello, I have the following search query which retrieves the metadata for all the splunk search queries ran in the last hour.

I am also using 'collect' to push this data into the splunkmetrics index with sourcetype 'queries'.

My issue is that if I run this without the collect command at the end, I can see all the 13 fields in a table format, as one would expect. However when I 'collect' these fields in the splunkmetrics index, I see that only a few fields are put into the splunkmetrics index. In other words, I see that my splunkmetrics summary index does not contain all the fields which are returned by the preceding query.

What am I doing wrong here?

===========================================================================================

index=_audit action=search sourcetype=audittrail search_id!="'rsa_*" earliest=-1h@h latest=-0h@h |

eval user = if(user="n/a", null(), user) |

stats min(_time) as _time,
max(total_run_time) as total_run_time,
values(info) as info,
first(host) as searchhead,
values(search) as search,
values(savedsearch_name) as savedsearch_name,
values(user) as user,
values(event_count) as event_count,
values(result_count) as result_count,
values(available_count) as available_count,
values(scan_count) as scan_count,
values(drop_count) as drop_count,
values(is_realtime) as is_realtime

by search_id

| where (isnotnull(search) AND search!="") OR (isnotnull(savedsearch_name) AND savedsearch_name!="") | collect index=splunkmetrics sourcetype=queries

===========================================================================================

Reply

robertosegantin
Path Finder
‎05-14-2018 03:19 AM

I have Splunk Enterprise 6.6.1 and I've got the same issue.
Until I have the solution, I've found this workaround:

index=splunkmetrics sourcetype=queries
| fields _raw 
| KV

Which Splunk version are you using?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 11:32 PM

which fields are missing? Because I can see all fields in splunkmetrics index after running query. Are you searching in "Verbose mode"?

0 Karma
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...