Knowledge Management

Using collect for summary indexing not working

jambajuice
Communicator

I have a search that produces a table. I am piping that search to: | collect index=vulnerabilities

When the search runs, I see a status message like: Successfully wrote file to '299100603_events.stash'.

When I search on: index=vulnerabilities, no results show up. How do I troubleshoot this?

Thanks.

Craig

Tags (1)
1 Solution

jambajuice
Communicator

I reinstalled Splunk and chose the "Repair" option and it's working now.

View solution in original post

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

If you search index=_internal, you should be able to locate references to the stash file. Once the file is indexed, you should see a message of sourcetype=splunkd that has this text in it:

INFO Metrics - group=per_source_thruput, series="$SPLUNK_HOME/var/spool/splunk/99100603_events.stash" kbps=0.067, eps=0.78, kb=1.0

Any errors should also turn up.

jambajuice
Communicator

I reinstalled Splunk and chose the "Repair" option and it's working now.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...