I am trying to use
collect together with the
marker-Option. Unfortunately I am not able to get any dynamic content for the marker string:
index=_internal file=* | head 10 | table _time file | collect index=test_temp marker=file
_raw entries like this:
03/26/2015 23:59:27 +0100, info_search_time=1427410768.113, file=shelper, file
What I would like of course is the content of the field file and not the string
file. I have already tried:
But the marker is always set to the string.
I thought of using
map-command. But this is very ugly since map starts a search for each event going into map (
maxsearches could be adjusted, but .... naah)
I also tried to create a macro
collect index=$index$ marker=$marker$
But the same result for either
index=_internal file=* | head 10 | table _time file | `mycollect(temp_test,file)`
index=_internal file=* | head 10 | table _time file | `mycollect(temp_test,'file')`
So, has anyone an idea?
Thanks in advance!
I'm having the same issue, I get no error in the search but the data is never indexed if I use a field value instead of just text.
I eventually made it work. I read the docs and there it states:
marker Syntax: marker=<string> Description: A string, usually of key-value pairs, to append to each event written out. Optional, default is empty.
Since this is not working with dynamic content (e.g. field content), I will either table my dynamic marker field before
index=internal file=* | head 10 | eval myMarker="some usefull stuff" | table _time file myMarker | collect index=testtemp
or append my marker string to to the content field
raw beginning with
internal | head 10 | eval raw=raw.", myKey = isSearchable, andWill = beExtracted" | collect index=test_temp
Hope that helps!
Right, defining it as a field using an eval is the way to go for your use case. As you saw in the docs, marker has to be a string, which is useful for separating out different sets of data in the summary index.
| collect index="mysummaryindex" marker="report=top_sales"
Allows me to search on that data using: