Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using mcollect on contionous basis

Silah
Path Finder
‎11-23-2024 06:49 AM

Hi Folks

I've been using mcollect to collect metrics from the events in my indexes and I thought if I set up an alert with the mcollect part in the search, it would automatically collect the metrics every X minutes but that doesn't seem to be working, the metrics are only collected when I run the search manually.

 

Any suggestions to how I can make mcollect just automatically collect the metrics I am looking for ?

 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-23-2024 12:53 PM

If this is the only thing modifying your metrics index you could verify whether the data is not mcollected at all or just "mistimed".

Run

| mstats count(*) where index=<your_metrics_index>
| transpose 0
| stats sum("row 1") as total

over all-time before and after the scheduled search runs and verify the counts

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-23-2024 07:36 AM

Are you sure the user for which the search is scheduled has appropriate capabilities to run mcollect and access to the destination index?

0 Karma
Reply
Solved! Jump to solution

Silah
Path Finder
‎11-23-2024 11:12 AM

I think so. I considered permissions and tried it in a lab setting as the admin user and it was the same result.

 

Besides, it works fine when the same user does it manually so I wouldn't have thought it would be any different for an automated one

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-23-2024 12:53 PM

If this is the only thing modifying your metrics index you could verify whether the data is not mcollected at all or just "mistimed".

Run

| mstats count(*) where index=<your_metrics_index>
| transpose 0
| stats sum("row 1") as total

over all-time before and after the scheduled search runs and verify the counts

0 Karma
Reply
Solved! Jump to solution

Silah
Path Finder
‎11-26-2024 07:16 AM

I do feel a bit stupid now..

My Cron was wrong. The method was perfectly sane.

I did struggle to find any actual documentation to say that this was a way of doing it, so I hope this question will help future searchers determine that.

Thanks for helping my grey matter along

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top