Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is my search using "mcollect" command causing the following error: "Error in 'mcollect' command: Must specify a valid metric index"?

ben_leung
Builder
‎09-11-2018 03:38 PM

In my query before, I was using the outputcsv search command, and then I had a monitoring input stanza to upload it to my metrics index.

I then took out the outputcsv command and started using mcollect.

Not sure why, but the metrics index is not valid when it recieved metrics from a different method.

....  | mcollect index=metrics-index

And on my indexes.conf, the settings is configured to be metrics:

[metrics-index]
datatype = metric

alt text

Preview file
37 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ben_leung
Builder
‎09-19-2018 11:36 PM

Okay so to resolve the issue, setup the metrics index on the search head cluster.
Missing the indexes.conf on our search head cluster. Overlooked this because we have indexes defined on our indexers.
Also because the previous method of using outputcsv and a monitoring stanza did not require any index definition on search heads.

View solution in original post

Reply
Solved! Jump to solution

anem
Explorer
‎11-27-2019 04:53 AM

index=xyz source=abc |table coloumnone coloumtwo |mcollect index=metric_index split=true coloumtwo

above is the example hope it helps

0 Karma
Reply
Solved! Jump to solution
Solution

ben_leung
Builder
‎09-19-2018 11:36 PM

Okay so to resolve the issue, setup the metrics index on the search head cluster.
Missing the indexes.conf on our search head cluster. Overlooked this because we have indexes defined on our indexers.
Also because the previous method of using outputcsv and a monitoring stanza did not require any index definition on search heads.

Reply
Solved! Jump to solution

splunkIT
Splunk Employee
Splunk Employee
‎09-20-2018 09:48 AM

In a distributed splunk environment, the search head also needs to have stub index of the same name and datatype for any of the collect (ie. collect, mcollect, meventcollect). Note: for metric index, you will need to specify datatype = metric in the relevant index.conf stanza.

Reply
Solved! Jump to solution

ben_leung
Builder
‎09-21-2018 03:17 AM

Right, just couldn't find a doc for version 7.1.2 about that.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-11-2018 09:05 PM

So, here's some triage steps.

1) Put quotes around your metrics index name and submit again. If that fixes the problem, then the hyphen is being incorrectly interpreted as a minus sign. Skip the remainder of the steps.

2A) Create a new, empty metrics index "junkmetrics" with no special characters in the name.

2B) Try your query with mcollect with that new index.

If that works, then the problem is either the name with the hyphens, or the prior data in the index.

2C) Create a junk index with hyphens in the name and try again. (It's supposed to be allowed as an index name, but none of the examples have hyphens.)

If that works, then the prior data is the likely culprit.

3) If that (2A) does not work, then those two items are off the table, and you know it is probably something with your search language itself. You've already tested the index name, so just report back and let us know, and we'll give you the next tranche of guesses.

0 Karma
Reply
Solved! Jump to solution

ben_leung
Builder
‎09-12-2018 12:36 PM

I feel that the output of the results may not be right since the method is different.

| table _time, value, a_dimension, metric_name | mcollect index=test_metric

_time value a_dimension metric_name
2018-09-12 12:16:01.100 1.45 view_point view.point.metrics
2018-09-12 12:19:01.100 0.9 view_point view.point.metrics
2018-09-12 12:21:01.100 3.41 view_point view.point.metrics

Field value is a double. If I try to rename value to _value, still does not work.

0 Karma
Reply
Solved! Jump to solution

ben_leung
Builder
‎09-11-2018 06:23 PM

This is a distributed search environment with search head clustering.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...