Solved: In Advanced XML, can a search output to a collect?

lycollicott · ‎07-20-2016

I have this code which is intended to just write one event to a tracking index when a user clicks a button:

<module name="Button" layoutPanel="panel_row1_col1" autoRun="False">
  <param name="allowSoftSubmit">True</param>
  <param name="label">Ok</param>
  <module name="HiddenSearch">
    <param name="search">
      | rest /my_custom_endpoint| fields field1,field2| join [search ...| stats count ] | collect index=tracking_index
    </param>
    <param name="earliest">-1h</param>
    <param name="latest">now</param>
    <module name="JobProgressIndicator"></module>
    <module name="Pager">
      <param name="entityName">results</param>
      <module name="SimpleResultsTable">
        <param name="displayRowNumbers">False</param>
        <param name="entityName">results</param>
      </module>
    </module>
  </module>
</module>

So, a user will click OK then the search runs and it displays, but the | collect index=tracking_index does not work. Any suggestions?

Testing update: There were no stash files in var/spool, so I set spool=false and the stash was written to var/run, so that's weird. It indicates the collect might be working partially.

Another update: I searched index=* sourcetype=stash and my events are going into summary instead of tracking_index. So, that seems like the collect is ignoring the index= argument. Weirder still. 🙂

lycollicott · ‎07-21-2016

I have solved it.

The first issue was <param name="earliest">-1h</param> and how collect's stash file is thereby interpreted. The collect command has a default argument addtime=true which according to documentation "the Splunk software uses the search time range info_min_time". info_min_time is the earliest value of your time range and is written to the stash file, so in my case info_min_time was 1 hour in the past and that became the _time value of my newly indexed event in tracking_index. Every time I was testing this XML form, I was searching for the new events within the last 15 minutes, so of course they didn't appear, because the event was an hour old in the index. I changed the -1h to -1s and now the collect command indexes the events 1 second into the past which is acceptable for this application.

The second issue seems to be that I wasn't specifying a sourcetype argument for my collect command and that it defaulted to stash which seemed to cause the events to go to the summary index instead. My new command looks like this ... | collect index=tracking_index sourcetype=tracker.

View solution in original post

lycollicott · ‎07-21-2016

I have solved it.

The first issue was <param name="earliest">-1h</param> and how collect's stash file is thereby interpreted. The collect command has a default argument addtime=true which according to documentation "the Splunk software uses the search time range info_min_time". info_min_time is the earliest value of your time range and is written to the stash file, so in my case info_min_time was 1 hour in the past and that became the _time value of my newly indexed event in tracking_index. Every time I was testing this XML form, I was searching for the new events within the last 15 minutes, so of course they didn't appear, because the event was an hour old in the index. I changed the -1h to -1s and now the collect command indexes the events 1 second into the past which is acceptable for this application.

The second issue seems to be that I wasn't specifying a sourcetype argument for my collect command and that it defaulted to stash which seemed to cause the events to go to the summary index instead. My new command looks like this ... | collect index=tracking_index sourcetype=tracker.

In Advanced XML, can a search output to a collect?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?