Re: "Collect" command doesnt work with "All time (...

DavidGirsvaldas · ‎08-22-2018

Hi,
I have a use case where I need to check for incomming events with measurements, combine and modify them and save as a new event. This is different from a simple summary as I might need to apply math to its values. What Im trying to use now is "Collect" command:

index=main (host="host1" AND MeasurementChannel=1) OR (host="host2" AND MeasurementChannel=2) | stats latest(MeanValue) as sumMean latest(Timestamp) as latestTImestamps latest(_time) as _time by MeasurementChannel| stats sum(sumMean) as MeanValue latest(latestTImestamps) as Timestamp latest(_time) as _time | eval Alias="myCustomChannel" | collect index=main host=host1

This search works fine when executed as non-real time, but when I set time interval to "All Time(Real-time)" nothings gets collected. in documentation for Collect command (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect) it says

The collect command also works with real-time searches that have a time range of All time.

inventsekar · ‎08-22-2018

collect command Description....
Adds the results of a search to a summary index that you specify. You must create the summary index before you invoke the collect command.

index=main ....................| collect index=main host=host1
here you are collecting the events from main index and sending it again to main index.

probably you should re-write your query to... (beforehand, you have to create this mainCollectSummary index )
index=main ....................| collect index=mainCollectSummary

DavidGirsvaldas · ‎08-22-2018

thank you for reply.
I also tried collecting events to "summary" index and it behaved in a same way. It worked with non-real time queries. Also my use case actually requires events to be saved in a same index.
"You must create the summary index before you invoke the collect command."- the way I read it, is that Splunk says search will not create a new index automatically by running search and so index should be created prior.
"Adds the results of a search to a summary index that you specify"- as far as I know Real-Time searches never finishes so therefore they do not produce results. So I wouldnt expect it to work, but the Collect command documentation clearly states that command works with All-time(real time) which confuses me

inventsekar · ‎08-22-2018

maybe, update the authorize.conf file that gives a way to grant/remove this collect command from a user...

[capability::run_collect]
* Lets a user run the collect command.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

DavidGirsvaldas · ‎08-22-2018

The documentation page points to Splunk version 7.1.2 meanwhile Im using a bit older 7.0.2. This capability doesnt appear as option in my version and gets ignored if set in config files. However I doubt this is an issue since Im able to successfully use Collect command as long as it is not real time.

inventsekar · ‎08-22-2018

ok, are you able to run other real time searches?!?!

[capability::rtsearch]
* Lets a user run realtime searches.

DavidGirsvaldas · ‎08-22-2018

yes, they all work as expected. Im currently running it all using Admin role. rtsearch is enabled.

"Collect" command doesnt work with "All time (Real-Time)"

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases