The summary index exists, but why is the collect c...

manisha_maxonic · ‎11-17-2016

Hello Team,

I am using the search below:

index="existing_index" |fields field1,field2| collect index="new_index"

I already verified that index is present. The search above shows a result when I run it on the search head, but when I use:

index="new_index"

to find a record in new_index, then data is not available. Please suggest the solution.

TiagoTLD1 · ‎12-05-2016

Does Splunk know that "new_index" is a summary index?

Create a saved search with that search and enable summary indexing

collect
Description
Adds the results of a search to a summary index that you specify. You must create the summary index before you invoke the collect command.

lguinn2 · ‎11-18-2016

Which user is actually running the search? Does that user have permission to see this index? Check the role.

manisha_maxonic · ‎11-21-2016

I am working on it from admin user and command was running properly from same user till last week. don't know what is wrong now.

The summary index exists, but why is the collect command not populating it with any data?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

The summary index exists, but why is the collect command not populating it with any data?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!