I have a search that produces a table. I am piping that search to: | collect index=vulnerabilities
When the search runs, I see a status message like: Successfully wrote file to '299100603_events.stash'.
When I search on: index=vulnerabilities, no results show up. How do I troubleshoot this?
If you search index=_internal, you should be able to locate references to the stash file. Once the file is indexed, you should see a message of sourcetype=splunkd that has this text in it:
INFO Metrics - group=per_source_thruput, series="$SPLUNK_HOME/var/spool/splunk/99100603_events.stash" kbps=0.067, eps=0.78, kb=1.0
Any errors should also turn up.