Splunk Search

Metric : mcollect command error

brdr
Contributor

Hello,

I've been using this command on other metric indexes and i can't get this one to work.

index=iiot_index Tag="simple_tag" AND metric_name="simple_metric" Quality=good
| eval Value=CASE(
Value="TRUE", 1,
Value="FALSE", 0,
Value="ACTIVE", 1,
Value="IN_PROGRESS", 1,
Value="ARMED", 1,
Value="TRIGGERED", 0,
Value="ON", 1,
Value="OFF", 0,
1=1, Value)
| rex field=asset_name "(?.).(?.)"
| eval _value=Value
| where isnum(_value)
| table asset metric_name Value _time
| mcollect index=iiot_index_metric asset,metric_name,Value

The error i get is this:

Error in 'mcollect' command: Must specify a valid metric index.

I do get data from the first index above, and this index in the last line is a metrics index.

Thanks

0 Karma
1 Solution

brdr
Contributor

I figured in out. we are in a distributed environment and this index needed to be on the search head as well as indexers (of course).

View solution in original post

0 Karma

brdr
Contributor

I figured in out. we are in a distributed environment and this index needed to be on the search head as well as indexers (of course).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...