Knowledge Management

Why is collect command not working?

rschmelzle_noda
New Member

I have an instance of Splunk Enterprise installed where my search head and indexer are running on the same server. I installed and configured the Splunk Forwarder for Windows on a Windows server with a syntax error causing events to be sent to an incorrect index. I tried following the support articles for using the "collect" command to copy events from one index to another but that does not seem to be working. Additionally I double checked the syntax of the collect command directly from the Splunk documentation for the collect command and it appears to be correct. However, when I run the following search and collect my data is not copied to the destination index:

host="hostname" sourcetype="source_type" index="source_index" | collect index="destination_index" sourcetype="source_type" host="hostname"

For my particular use case, my host and sourcetype should be the same for the data in the source and destination index. I only with to copy the events to the new destination index where after I will delete them from the original index.

Is there anything I am missing here? Thanks and please let me know if anyone has any insight!

Labels (1)
0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

The collect command stated in the question is correct and it will indexed the data in new index:
host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype"

uagrawal_splunk
Splunk Employee
Splunk Employee

Have you created your destination_index in the indexer? I tried the same query of yours and it works for me, the events are copied to my new destination_index.
If the destination_index is not available then you will get below message :
Received event for unconfigured/disabled/deleted index='test' with source="source" host="my_host" sourcetype="my_sourcetype". So far received events from 1 missing index(es).

0 Karma

rschmelzle_noda
New Member

Thanks for the reply. When I got to Settings --> Data --> Indexes my index is present. Any other thoughts or suggestions?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Are you getting any error message or anything? What happens after you hit the above command.

0 Karma

rschmelzle_noda
New Member

When I run it nothing happens at all. I run it in the search box from the web UI and nothing at all happens. Upon searching for the events that should be copied in the destination index I do not see them. I do still see the events in the source index untouched.

Maybe I ran it with a small syntax error?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

I don't think there is a syntax error.
Because this query works for me. I am seeing events on my new_index. I used below query:
host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype"

0 Karma

rschmelzle_noda
New Member

Thanks, I may have typed it in wrong the first time, but I will try it again and see if it works. I appreciate your feedback!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Are you able to copy the data in the destination index?

0 Karma

rschmelzle_noda
New Member

Yes, I had incorrectly formatted my original search and collect. After looking back through my documentation there was a small syntax error in the initial execution of my command causing the issue.

Thanks for your help and sorry for the silly mistake!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No problem, I am writing the collect command in answers for others.

0 Karma

rschmelzle_noda
New Member

Thanks again!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No problem. Glad to help.

0 Karma
Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...