Splunk Doc on collect command is a bit confusing: source: http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Collect#Moving_events_to_a_different_index Moving events to a different index You can use the collect command to move selected file content from one index to another index. Construct a search that returns the data you want to port, and pipe the results to the collect command. For example: index=whatever host=whatever source=whatever whatever | collect index=foo This search ports the data into the foo index. The sourcetype is changed to stash. You can specify a sourcetype with the collect command. However, specifying a sourcetype counts against your license, as if you indexed the data again. ... View more

Restart splunkd of the deployment server should fix the problem. But i am not sure what exactly caused this error yet. Anyone knows about the root cause of this error? ... View more

I have installed sblunkdb connect for some host with some database details now is it possible i can produce a query for extracting name of some particular tables LIKE %err having some update in last five minutes ? ... View more

We have already set splunkdb connect and database is oracle,so Just trying to figure out the way. ... View more

We are looking to extract name of tables from database in which we got some latest entries say in last five minutes and table name should be like '%_ERR' ... View more

As per logs nobody kills it manually still looking for the reason... ... View more

Hi there, the error seems to have disappeared when I moved from a Universal Forwarder configuration to a Light Forwarder. I was not able to get data into my indexers, but I'm not sure if this error had anything to do with it. The error was appearing with as few as 4 hosts, so I don't think it's related to a network load issue. ... View more