Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"Collect" command doesnt work with "All time (Real-Time)"

DavidGirsvaldas
Explorer
‎08-22-2018 03:13 AM

Hi,
I have a use case where I need to check for incomming events with measurements, combine and modify them and save as a new event. This is different from a simple summary as I might need to apply math to its values. What Im trying to use now is "Collect" command:

index=main (host="host1" AND MeasurementChannel=1) OR (host="host2" AND MeasurementChannel=2) | stats latest(MeanValue) as sumMean latest(Timestamp) as latestTImestamps latest(_time) as _time by MeasurementChannel| stats sum(sumMean) as MeanValue latest(latestTImestamps) as Timestamp latest(_time) as _time | eval Alias="myCustomChannel" | collect index=main host=host1

This search works fine when executed as non-real time, but when I set time interval to "All Time(Real-time)" nothings gets collected. in documentation for Collect command (http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Collect) it says

The collect command also works with real-time searches that have a time range of All time.

Tags (2)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-22-2018 04:09 AM

collect command Description....
Adds the results of a search to a summary index that you specify. You must create the summary index before you invoke the collect command.

index=main ....................| collect index=main host=host1
here you are collecting the events from main index and sending it again to main index.

probably you should re-write your query to... (beforehand, you have to create this mainCollectSummary index )
index=main ....................| collect index=mainCollectSummary

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

DavidGirsvaldas
Explorer
‎08-22-2018 04:20 AM

thank you for reply.
I also tried collecting events to "summary" index and it behaved in a same way. It worked with non-real time queries. Also my use case actually requires events to be saved in a same index.
"You must create the summary index before you invoke the collect command."- the way I read it, is that Splunk says search will not create a new index automatically by running search and so index should be created prior.
"Adds the results of a search to a summary index that you specify"- as far as I know Real-Time searches never finishes so therefore they do not produce results. So I wouldnt expect it to work, but the Collect command documentation clearly states that command works with All-time(real time) which confuses me

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-22-2018 04:52 AM

maybe, update the authorize.conf file that gives a way to grant/remove this collect command from a user...

[capability::run_collect]
* Lets a user run the collect command.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

DavidGirsvaldas
Explorer
‎08-22-2018 06:04 AM

The documentation page points to Splunk version 7.1.2 meanwhile Im using a bit older 7.0.2. This capability doesnt appear as option in my version and gets ignored if set in config files. However I doubt this is an issue since Im able to successfully use Collect command as long as it is not real time.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-22-2018 06:18 AM

ok, are you able to run other real time searches?!?!

[capability::rtsearch]
* Lets a user run realtime searches.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

DavidGirsvaldas
Explorer
‎08-22-2018 06:26 AM

yes, they all work as expected. Im currently running it all using Admin role. rtsearch is enabled.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...