Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

"Collect" command doesnt work with "All time (Real-Time)"

DavidGirsvaldas
Explorer
‎08-22-2018 03:13 AM

Hi,
I have a use case where I need to check for incomming events with measurements, combine and modify them and save as a new event. This is different from a simple summary as I might need to apply math to its values. What Im trying to use now is "Collect" command:

index=main (host="host1" AND MeasurementChannel=1) OR (host="host2" AND MeasurementChannel=2) | stats latest(MeanValue) as sumMean latest(Timestamp) as latestTImestamps latest(_time) as _time by MeasurementChannel| stats sum(sumMean) as MeanValue latest(latestTImestamps) as Timestamp latest(_time) as _time | eval Alias="myCustomChannel" | collect index=main host=host1

This search works fine when executed as non-real time, but when I set time interval to "All Time(Real-time)" nothings gets collected. in documentation for Collect command (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect) it says

The collect command also works with real-time searches that have a time range of All time.

Tags (2)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-22-2018 04:09 AM

collect command Description....
Adds the results of a search to a summary index that you specify. You must create the summary index before you invoke the collect command.

index=main ....................| collect index=main host=host1
here you are collecting the events from main index and sending it again to main index.

probably you should re-write your query to... (beforehand, you have to create this mainCollectSummary index )
index=main ....................| collect index=mainCollectSummary

0 Karma
Reply

DavidGirsvaldas
Explorer
‎08-22-2018 04:20 AM

thank you for reply.
I also tried collecting events to "summary" index and it behaved in a same way. It worked with non-real time queries. Also my use case actually requires events to be saved in a same index.
"You must create the summary index before you invoke the collect command."- the way I read it, is that Splunk says search will not create a new index automatically by running search and so index should be created prior.
"Adds the results of a search to a summary index that you specify"- as far as I know Real-Time searches never finishes so therefore they do not produce results. So I wouldnt expect it to work, but the Collect command documentation clearly states that command works with All-time(real time) which confuses me

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-22-2018 04:52 AM

maybe, update the authorize.conf file that gives a way to grant/remove this collect command from a user...

[capability::run_collect]
* Lets a user run the collect command.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

0 Karma
Reply

DavidGirsvaldas
Explorer
‎08-22-2018 06:04 AM

The documentation page points to Splunk version 7.1.2 meanwhile Im using a bit older 7.0.2. This capability doesnt appear as option in my version and gets ignored if set in config files. However I doubt this is an issue since Im able to successfully use Collect command as long as it is not real time.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-22-2018 06:18 AM

ok, are you able to run other real time searches?!?!

[capability::rtsearch]
* Lets a user run realtime searches.

0 Karma
Reply

DavidGirsvaldas
Explorer
‎08-22-2018 06:26 AM

yes, they all work as expected. Im currently running it all using Admin role. rtsearch is enabled.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...