Hello, I have the following search query which retrieves the metadata for all the splunk search queries ran in the last hour.

I am also using 'collect' to push this data into the splunkmetrics index with sourcetype 'queries'.

My issue is that if I run this without the collect command at the end, I can see all the 13 fields in a table format, as one would expect. However when I 'collect' these fields in the splunkmetrics index, I see that only a few fields are put into the splunkmetrics index. In other words, I see that my splunkmetrics summary index does not contain all the fields which are returned by the preceding query.

What am I doing wrong here?

===========================================================================================

index=_audit action=search sourcetype=audittrail search_id!="'rsa_*" earliest=-1h@h latest=-0h@h |

eval user = if(user="n/a", null(), user) |

stats min(_time) as _time,
max(total_run_time) as total_run_time,
values(info) as info,
first(host) as searchhead,
values(search) as search,
values(savedsearch_name) as savedsearch_name,
values(user) as user,
values(event_count) as event_count,
values(result_count) as result_count,
values(available_count) as available_count,
values(scan_count) as scan_count,
values(drop_count) as drop_count,
values(is_realtime) as is_realtime

by search_id

| where (isnotnull(search) AND search!="") OR (isnotnull(savedsearch_name) AND savedsearch_name!="") | collect index=splunkmetrics sourcetype=queries

===========================================================================================