Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not able to get any dynamic content using the collect command with the marker option?

bjoernjensen
Contributor
‎03-26-2015 04:26 PM

Hey,

I am trying to use collect together with the marker-Option. Unfortunately I am not able to get any dynamic content for the marker string:

index=_internal file=* | head 10 | table _time file | collect  index=test_temp marker=file

yields into _raw entries like this:

03/26/2015 23:59:27 +0100, info_search_time=1427410768.113, file=shelper, file

What I would like of course is the content of the field file and not the string file. I have already tried:
... marker='file'
... marker=\'file\'
... marker=\\'file\\'
... marker=\\\'file\\\'

But the marker is always set to the string.

I thought of using map-command. But this is very ugly since map starts a search for each event going into map (maxsearches could be adjusted, but .... naah)

I also tried to create a macro mycollect(2):

collect index=$index$ marker=$marker$

But the same result for either

index=_internal file=* | head 10 | table _time file | `mycollect(temp_test,file)`

or

index=_internal file=* | head 10 | table _time file | `mycollect(temp_test,'file')`

So, has anyone an idea?
Thanks in advance!

Reply
1 Solution
Solved! Jump to solution
Solution

bjoernjensen
Contributor
‎03-27-2015 12:42 PM

I eventually made it work. I read the docs and there it states:

marker
Syntax: marker=<string>
Description: A string, usually of key-value pairs, to append to each event written out. Optional, default is empty.

Since this is not working with dynamic content (e.g. field content), I will either table my dynamic marker field before collect:
index=_internal file=* | head 10 | eval myMarker="some usefull stuff" | table _time file myMarker | collect index=test_temp

or append my marker string to to the content field _raw beginning with , :
index=_internal | head 10 | eval _raw=_raw.", myKey = isSearchable, andWill = beExtracted" | collect index=test_temp

Hope that helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

bjoernjensen
Contributor
‎03-27-2015 12:42 PM

I eventually made it work. I read the docs and there it states:

marker
Syntax: marker=<string>
Description: A string, usually of key-value pairs, to append to each event written out. Optional, default is empty.

Since this is not working with dynamic content (e.g. field content), I will either table my dynamic marker field before collect:
index=_internal file=* | head 10 | eval myMarker="some usefull stuff" | table _time file myMarker | collect index=test_temp

or append my marker string to to the content field _raw beginning with , :
index=_internal | head 10 | eval _raw=_raw.", myKey = isSearchable, andWill = beExtracted" | collect index=test_temp

Hope that helps!

Reply
Solved! Jump to solution

masonmorales
Influencer
‎03-27-2015 04:33 PM

Right, defining it as a field using an eval is the way to go for your use case. As you saw in the docs, marker has to be a string, which is useful for separating out different sets of data in the summary index.

For example:

| collect index="mysummaryindex" marker="report=top_sales"

Allows me to search on that data using:

index=mysummaryindex report=top_sales
Reply
Solved! Jump to solution

packman
Engager
‎03-26-2015 06:54 PM

I'm having the same issue, I get no error in the search but the data is never indexed if I use a field value instead of just text.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...