Splunk Search

Results from Collect command not writing to index?

Aroot002
Path Finder

Hi everyone,

I recently took over a project by someone who is no longer with my employer. He made several scheduled searches that write to an index, and it was working great. However last month out of nowhere it just stopped working. Supposedly no changes were made. 

The other searches are working, it's just this one. The search runs just fine, gets the expected results, but the results aren't being exported to the index. 

I actually found another post on here with someone who looked to have the same problem, but it wasn't successfully answered. 

Another post suggested that a forwarder might be a solution. Does that seem right? I'd rather avoid that solution as I don't want to be installing apps on this environment, but if necessary I will get the permission. Just want to make sure that's a probable solution before doing so. 

Labels (1)
0 Karma
1 Solution

Aroot002
Path Finder

Figured it out, needed to add an eval column with the current time to match with the live results

View solution in original post

0 Karma

Aroot002
Path Finder

Figured it out, needed to add an eval column with the current time to match with the live results

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Aroot002,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
SplunkTrust
SplunkTrust

Hi @Aroot002,

I suppose that you manually checked the scheduled search, but you checked it in the same time windows of the scheduled search?, in other words, if you search must run at 01.00 and there'a a condition earliest=now, you cannot check it at a different time, so try it again using the same time frame of the scheduled search.

Ciao.

Giuseppe

0 Karma

Aroot002
Path Finder

My earliest is 45 days ago and my latest is the current hour, as it is a scheduled hourly search. Results look exactly as they should but are not being written to the index.

Even so, if I run the search manually shouldn't the results of that search be written to the index? That's not happening. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Aroot002 ,

if the collect command is at the end of your scheduled search, also manually running it results are written in the summary index.

Ciao.

Giuseppe

0 Karma

Aroot002
Path Finder

Yes, the last line is

| collect index=indexname source=sourcename

But when I run simply

index=indexname

after running that search, those results don't show up. Everything was working fine until one day in January when it just stopped writting results to the index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...