Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

A question about using the "collect" command.

noott211
Path Finder
‎12-15-2021 08:24 PM

index="my_index"
|eval check=if(html_code==200,"error","OK")
|stats count values(clientip) as src_ip by ip , check
|table src_ip , ip, check , count
|collect index=error_ip_count


I'm going to call up "error_ip_count" after using that command.
I used index=error_ip_count, but I couldn't call it up. Is there a wrong way to use it?

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎12-15-2021 09:10 PM

Hi @noott211 ,

Perhaps docs are starting point- https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Collect

It depends on your use case and how you want to use it. At a high level it will write summary information( subset of _raw events) to a separate index.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

noott211
Path Finder
‎12-15-2021 09:05 PM

Thank you. Is there a better way to use collect?

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎12-15-2021 09:10 PM

Hi @noott211 ,

Perhaps docs are starting point- https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Collect

It depends on your use case and how you want to use it. At a high level it will write summary information( subset of _raw events) to a separate index.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎12-15-2021 08:37 PM

Hi @noott211 

What do you mean by you couldn't call it up?

The above query should work just fine if the index=error_ip_count exist on indexers otherwise you need to create it.

---

An upvote would be appreciated if this reply helps!

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...