Solved: Results from Collect command not writing to index?

Aroot002 · ‎02-17-2023

Hi everyone,

I recently took over a project by someone who is no longer with my employer. He made several scheduled searches that write to an index, and it was working great. However last month out of nowhere it just stopped working. Supposedly no changes were made.

The other searches are working, it's just this one. The search runs just fine, gets the expected results, but the results aren't being exported to the index.

I actually found another post on here with someone who looked to have the same problem, but it wasn't successfully answered.

Another post suggested that a forwarder might be a solution. Does that seem right? I'd rather avoid that solution as I don't want to be installing apps on this environment, but if necessary I will get the permission. Just want to make sure that's a probable solution before doing so.

Aroot002 · ‎02-20-2023

Figured it out, needed to add an eval column with the current time to match with the live results

View solution in original post

Seawheels51 · ‎01-10-2025

Collect is very time sensitive and as @gcusello pointed out. My search and collect writing to index was working. I changed the _time=now() to use a now time 14 eval statements earlier in the search and it stopped writing to the index. After viewing this thread, I changed it back to these final three lines in search and now successfully writing the results to index every time:

| eval now=now()
| eval _time=now

| collect index=index output_format=raw spool=true source=yourSource sourcetype=stash

Aroot002 · ‎02-20-2023

Figured it out, needed to add an eval column with the current time to match with the live results

gcusello · ‎02-20-2023

Hi @Aroot002,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎02-17-2023

Hi @Aroot002,

I suppose that you manually checked the scheduled search, but you checked it in the same time windows of the scheduled search?, in other words, if you search must run at 01.00 and there'a a condition earliest=now, you cannot check it at a different time, so try it again using the same time frame of the scheduled search.

Ciao.

Giuseppe

Aroot002 · ‎02-20-2023

My earliest is 45 days ago and my latest is the current hour, as it is a scheduled hourly search. Results look exactly as they should but are not being written to the index.

Even so, if I run the search manually shouldn't the results of that search be written to the index? That's not happening.

gcusello · ‎02-20-2023

Hi @Aroot002 ,

if the collect command is at the end of your scheduled search, also manually running it results are written in the summary index.

Ciao.

Giuseppe

Aroot002 · ‎02-20-2023

Yes, the last line is

| collect index=indexname source=sourcename

But when I run simply

index=indexname

after running that search, those results don't show up. Everything was working fine until one day in January when it just stopped writting results to the index.

Results from Collect command not writing to index?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?

Results from Collect command not writing to index?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...