Solved: Re: saved search with collect command not running/...

kochera · ‎11-30-2015

Hi,

I've a scheduled saved search running every day to collect events and writting the events to a new index. Running the search interactively is working fine but running the job started by the scheduler is not working at all. No data is written to the new index. Find below the search:

index=access sourcetype="legacy"  [search (index=access sourcetype="tap") OR (index=access sourcetype=vdi) |fields + user ] |collect index=access sourcetype=legacy_spec

Any ideas what might cause this behaviour?

cheers,
Andy

mzorzi · ‎11-30-2015

the output of collect command must be a separate summary index, it can not be the same index :

http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Collect

View solution in original post

mzorzi · ‎11-30-2015

the output of collect command must be a separate summary index, it can not be the same index :

http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Collect

kochera · ‎11-30-2015

Hi,
thanks for your answer. But why is it writting the data properly when running it manually?

cheers,
Andy

woodcock · ‎12-01-2015

I would open a support case and ask that exact question.

saved search with collect command not running/not collecting data

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms