Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not result get from collect

Wendy1990
New Member
‎07-08-2015 02:42 PM

I schedule below search, search name is "TransactionResult"

sourcetype="ims*" host="chi*" ActivityId!="(null)" (Action="Start" OR Action="End") | eval TopicName= mvindex(split(TopicName,"."),-1) | transaction ActivityId TopicName startswith="Start" endswith="End" maxevents=2 | fields FirmName ActivityId TopicName duration _time | collect addtime=true index=summary_abuse

After above search completed, I use

"index=summary_abuse search_name="TransactionResult" to get the result of search , but the result is empty ,why?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-08-2015 02:57 PM

I don't think search_name is the right field to use here.

Did you try:

index=summary_abuse source="TransactionResult"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎07-08-2015 04:02 PM

Best practice is to use a marker, which creates a new key/value pair in each SI result. The marker then allows you to easily retrieve the results you want from the SI.

Here's how you can add it to your search:

sourcetype="ims*" host="chi*" ActivityId!="(null)" (Action="Start" OR Action="End") | eval TopicName= mvindex(split(TopicName,"."),-1) | transaction ActivityId TopicName startswith="Start" endswith="End" maxevents=2 | fields FirmName ActivityId TopicName duration _time | collect addtime=true index=summary_abuse marker="si_search_name=TransactionResult"

Then, to retrieve the results, you just do:

index=summary_abuse si_search_name=TransactionResult
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-08-2015 02:57 PM

I don't think search_name is the right field to use here.

Did you try:

index=summary_abuse source="TransactionResult"
0 Karma
Reply
Solved! Jump to solution

Wendy1990
New Member
‎07-09-2015 07:15 AM

Transaction can calculate duration, but I don't see the field duration value for each ActivityId.

0 Karma
Reply
Solved! Jump to solution

Wendy1990
New Member
‎07-09-2015 07:24 AM

I want to save the result of transaction command, now I can see the event with your command, but duration value is null, why?
I use this command
index=summary source="transtest" | table FirmName ActivityId TopicName duration _time

0 Karma
Reply
Get Updates on the Splunk Community!

Insights from .conf 2025, Smart Edge Processor Scaling, and a New Splunk Lantern ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Machine Learning - Assisted Adaptive Thresholding

Let’s talk thresholding. Have you set up static thresholds? Tired of static thresholds triggering false ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...