Knowledge Management

Why is collect command not working?

rschmelzle_noda
New Member

I have an instance of Splunk Enterprise installed where my search head and indexer are running on the same server. I installed and configured the Splunk Forwarder for Windows on a Windows server with a syntax error causing events to be sent to an incorrect index. I tried following the support articles for using the "collect" command to copy events from one index to another but that does not seem to be working. Additionally I double checked the syntax of the collect command directly from the Splunk documentation for the collect command and it appears to be correct. However, when I run the following search and collect my data is not copied to the destination index:

host="hostname" sourcetype="source_type" index="source_index" | collect index="destination_index" sourcetype="source_type" host="hostname"

For my particular use case, my host and sourcetype should be the same for the data in the source and destination index. I only with to copy the events to the new destination index where after I will delete them from the original index.

Is there anything I am missing here? Thanks and please let me know if anyone has any insight!

Labels (1)
0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

The collect command stated in the question is correct and it will indexed the data in new index:
host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype"

uagrawal_splunk
Splunk Employee
Splunk Employee

Have you created your destination_index in the indexer? I tried the same query of yours and it works for me, the events are copied to my new destination_index.
If the destination_index is not available then you will get below message :
Received event for unconfigured/disabled/deleted index='test' with source="source" host="my_host" sourcetype="my_sourcetype". So far received events from 1 missing index(es).

0 Karma

rschmelzle_noda
New Member

Thanks for the reply. When I got to Settings --> Data --> Indexes my index is present. Any other thoughts or suggestions?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Are you getting any error message or anything? What happens after you hit the above command.

0 Karma

rschmelzle_noda
New Member

When I run it nothing happens at all. I run it in the search box from the web UI and nothing at all happens. Upon searching for the events that should be copied in the destination index I do not see them. I do still see the events in the source index untouched.

Maybe I ran it with a small syntax error?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

I don't think there is a syntax error.
Because this query works for me. I am seeing events on my new_index. I used below query:
host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype"

0 Karma

rschmelzle_noda
New Member

Thanks, I may have typed it in wrong the first time, but I will try it again and see if it works. I appreciate your feedback!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Are you able to copy the data in the destination index?

0 Karma

rschmelzle_noda
New Member

Yes, I had incorrectly formatted my original search and collect. After looking back through my documentation there was a small syntax error in the initial execution of my command causing the issue.

Thanks for your help and sorry for the silly mistake!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No problem, I am writing the collect command in answers for others.

0 Karma

rschmelzle_noda
New Member

Thanks again!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No problem. Glad to help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...