- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks
I've been using mcollect to collect metrics from the events in my indexes and I thought if I set up an alert with the mcollect part in the search, it would automatically collect the metrics every X minutes but that doesn't seem to be working, the metrics are only collected when I run the search manually.
Any suggestions to how I can make mcollect just automatically collect the metrics I am looking for ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
If this is the only thing modifying your metrics index you could verify whether the data is not mcollected at all or just "mistimed".
Run
| mstats count(*) where index=<your_metrics_index>
| transpose 0
| stats sum("row 1") as total
over all-time before and after the scheduled search runs and verify the counts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Are you sure the user for which the search is scheduled has appropriate capabilities to run mcollect and access to the destination index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so. I considered permissions and tried it in a lab setting as the admin user and it was the same result.
Besides, it works fine when the same user does it manually so I wouldn't have thought it would be any different for an automated one
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
If this is the only thing modifying your metrics index you could verify whether the data is not mcollected at all or just "mistimed".
Run
| mstats count(*) where index=<your_metrics_index>
| transpose 0
| stats sum("row 1") as total
over all-time before and after the scheduled search runs and verify the counts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do feel a bit stupid now..
My Cron was wrong. The method was perfectly sane.
I did struggle to find any actual documentation to say that this was a way of doing it, so I hope this question will help future searchers determine that.
Thanks for helping my grey matter along
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""