Solved: A question about using the "collect" command.

noott211 · ‎12-15-2021

index="my_index"
|eval check=if(html_code==200,"error","OK")
|stats count values(clientip) as src_ip by ip , check
|table src_ip , ip, check , count
|collect index=error_ip_count

I'm going to call up "error_ip_count" after using that command.
I used index=error_ip_count, but I couldn't call it up. Is there a wrong way to use it?

venkatasri · ‎12-15-2021

Hi @noott211 ,

Perhaps docs are starting point- https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Collect

It depends on your use case and how you want to use it. At a high level it will write summary information( subset of _raw events) to a separate index.

View solution in original post

noott211 · ‎12-15-2021

Thank you. Is there a better way to use collect?

venkatasri · ‎12-15-2021

Hi @noott211 ,

Perhaps docs are starting point- https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Collect

It depends on your use case and how you want to use it. At a high level it will write summary information( subset of _raw events) to a separate index.

venkatasri · ‎12-15-2021

Hi @noott211

What do you mean by you couldn't call it up?

The above query should work just fine if the index=error_ip_count exist on indexers otherwise you need to create it.

---

An upvote would be appreciated if this reply helps!

A question about using the "collect" command.

eval

other

stats

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2