is there a way to check if makeresults stored the ...

jayjoshi64 · ‎01-08-2018

I am searching like this in Splunk:

  | makeresults count=3 | eval _raw="demo event" | collect index=main sourcetype="sample"

It generates the events and also stores these 3 events in the index.

and then I searched this:

| makeresults count=3 | eval _raw="demo event" | collect index="randomindex" sourcetype="sample"

Here, "randomIndex" is not available in the Splunk instance, so it will not store the events, but it will show all 3 events anyway when the above search is fired. but still not stored anywhere.

I am trying same to do using REST API to search "makeresults" multiple times and store in the given index but there is no way to check whether the events has been stored successfully or not.

Is there a way to check whether the makeresults stored the event successfully or not.? using job properties or anything.?

gcusello · ‎01-09-2018

Hi
you have to create Index before use collect command (see https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Collect ) so you're sure to find events in that index.

Bye.
Giuseppe

jayjoshi64 · ‎01-09-2018

I have checked whether index is available in the Splunk Instance by checking if index's stanza is available in indexes.conf or not.

if there is error message in the response. create the Index by adding the stanza in the indexes.conf

to check and add stanza: check stanza by REST API

is there a way to check if makeresults stored the events in index or not ?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application