Knowledge Management

Collect command not storing to existing index

jamesvz84
Communicator

I have created an index on the indexer (myindex).

I have a search that pipes to collect so that results are stored in the index "win_snapshot":

index=windows_stats | addinfo | table _time info_min_time Drive server_name avg counter site_name | collect index=win_snapshot addtime=true

However, this does not end up getting stored in the win_snapshot index.

What must I do for the data to be stored in win_snapshot. I have another environment where the exact same query is working, but I cannot find out what the difference is.

The role for my user has visibility into this index on both environments.

0 Karma

vasanthmss
Motivator

is it working?

V
0 Karma

vasanthmss
Motivator

Hi James,

I faced the same scenario once, Where as the index is not available in search head.(I am not sure why/how this happen).

you will came to know the same by any of the below options,

Option 1: Go to search head Settings-> Data -> Indexes and check your index is available or not.

Option 2:

 1. create a search
 2. schedule it based on your requirement
 3. check the summary indexing check box
 4. you can see the list of indexes available for summary. I guess the index which you are referring will not be available.

In that case you need create a same index in search head that will work.

Give a try.

Cherrs!

V
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...