Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Collect command with federated searches

MJAITEH
Engager
‎03-21-2024 08:06 AM

I have a use case where I'm trying to collect events from a federated search. I can run and search results using the federated index, but when I try to add a collect command to collect the results to a local index I get the following error: "No results to summary index." The search works but automatically returns no results when I try to collect.

I've leveraged a workaround by using a makeresults with dummy data followed by an append with a subsearch, that contains my federated search and that collects fine, but now I'm limited by subsearch constraints. Anyone run into this issue?

Workaround:

 

| makeresults
| eval test="a"
| fields - _time
| append
[ index=federated:testindex | head 1 ]
| collect index=mysummaryindex

 

Labels (1)
Labels
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...