Knowledge Management

collect and summary index problem

EricPartington
Communicator

i've been running around in circles for a few hours now, cant figure this out.

I have a dev and prod environment (prod 4.2.5 and dev 4.3)

In dev environment i can run a search and use collect to write the events to the summary index

splunk_server=a |top host | collect index=summary

using the stash file name that is shown i can locate the data with this command

index=_internal 254301636_events.stash_new

i try the same thing in prod(4.2.5) and I am not able to find the data in the summary index. No errors as far as i can see relating to the index or command. No data anywhere.

Is there a difference in the collect command between 4.2.5 and 4.3?

What other troubleshooting can be done to help figure this out?

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

Once indexed in the index=summary, you should search for it using

index=summary

If you wanted to name your results, look at the option marker
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/Collect

View solution in original post

yannK
Splunk Employee
Splunk Employee

Once indexed in the index=summary, you should search for it using

index=summary

If you wanted to name your results, look at the option marker
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/Collect

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!