Knowledge Management

Why is collect command not working?

rschmelzle_noda
New Member

I have an instance of Splunk Enterprise installed where my search head and indexer are running on the same server. I installed and configured the Splunk Forwarder for Windows on a Windows server with a syntax error causing events to be sent to an incorrect index. I tried following the support articles for using the "collect" command to copy events from one index to another but that does not seem to be working. Additionally I double checked the syntax of the collect command directly from the Splunk documentation for the collect command and it appears to be correct. However, when I run the following search and collect my data is not copied to the destination index:

host="hostname" sourcetype="source_type" index="source_index" | collect index="destination_index" sourcetype="source_type" host="hostname"

For my particular use case, my host and sourcetype should be the same for the data in the source and destination index. I only with to copy the events to the new destination index where after I will delete them from the original index.

Is there anything I am missing here? Thanks and please let me know if anyone has any insight!

Labels (1)
0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

The collect command stated in the question is correct and it will indexed the data in new index:
host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype"

uagrawal_splunk
Splunk Employee
Splunk Employee

Have you created your destination_index in the indexer? I tried the same query of yours and it works for me, the events are copied to my new destination_index.
If the destination_index is not available then you will get below message :
Received event for unconfigured/disabled/deleted index='test' with source="source" host="my_host" sourcetype="my_sourcetype". So far received events from 1 missing index(es).

0 Karma

rschmelzle_noda
New Member

Thanks for the reply. When I got to Settings --> Data --> Indexes my index is present. Any other thoughts or suggestions?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Are you getting any error message or anything? What happens after you hit the above command.

0 Karma

rschmelzle_noda
New Member

When I run it nothing happens at all. I run it in the search box from the web UI and nothing at all happens. Upon searching for the events that should be copied in the destination index I do not see them. I do still see the events in the source index untouched.

Maybe I ran it with a small syntax error?

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

I don't think there is a syntax error.
Because this query works for me. I am seeing events on my new_index. I used below query:
host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype"

0 Karma

rschmelzle_noda
New Member

Thanks, I may have typed it in wrong the first time, but I will try it again and see if it works. I appreciate your feedback!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Are you able to copy the data in the destination index?

0 Karma

rschmelzle_noda
New Member

Yes, I had incorrectly formatted my original search and collect. After looking back through my documentation there was a small syntax error in the initial execution of my command causing the issue.

Thanks for your help and sorry for the silly mistake!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No problem, I am writing the collect command in answers for others.

0 Karma

rschmelzle_noda
New Member

Thanks again!

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

No problem. Glad to help.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...