Splunk Search

In Advanced XML, can a search output to a collect?

lycollicott
Motivator

I have this code which is intended to just write one event to a tracking index when a user clicks a button:

<module name="Button" layoutPanel="panel_row1_col1" autoRun="False">
  <param name="allowSoftSubmit">True</param>
  <param name="label">Ok</param>
  <module name="HiddenSearch">
    <param name="search">
      | rest /my_custom_endpoint| fields field1,field2| join [search ...| stats count ] | collect index=tracking_index
    </param>
    <param name="earliest">-1h</param>
    <param name="latest">now</param>
    <module name="JobProgressIndicator"></module>
    <module name="Pager">
      <param name="entityName">results</param>
      <module name="SimpleResultsTable">
        <param name="displayRowNumbers">False</param>
        <param name="entityName">results</param>
      </module>
    </module>
  </module>
</module>

So, a user will click OK then the search runs and it displays, but the | collect index=tracking_index does not work. Any suggestions?

BTW, | rest /my_custom_endpoint| fields field1,field2| join [search ...| stats count ] | collect index=tracking_index works fine from the search app, so I am assuming that my problem is in the XML.

Testing update: There were no stash files in var/spool, so I set spool=false and the stash was written to var/run, so that's weird. It indicates the collect might be working partially.

Another update: I searched index=* sourcetype=stash and my events are going into summary instead of tracking_index. So, that seems like the collect is ignoring the index= argument. Weirder still. 🙂

0 Karma
1 Solution

lycollicott
Motivator

I have solved it.

The first issue was <param name="earliest">-1h</param> and how collect's stash file is thereby interpreted. The collect command has a default argument addtime=true which according to documentation "the Splunk software uses the search time range info_min_time". info_min_time is the earliest value of your time range and is written to the stash file, so in my case info_min_time was 1 hour in the past and that became the _time value of my newly indexed event in tracking_index. Every time I was testing this XML form, I was searching for the new events within the last 15 minutes, so of course they didn't appear, because the event was an hour old in the index. I changed the -1h to -1s and now the collect command indexes the events 1 second into the past which is acceptable for this application.

The second issue seems to be that I wasn't specifying a sourcetype argument for my collect command and that it defaulted to stash which seemed to cause the events to go to the summary index instead. My new command looks like this ... | collect index=tracking_index sourcetype=tracker.

View solution in original post

0 Karma

lycollicott
Motivator

I have solved it.

The first issue was <param name="earliest">-1h</param> and how collect's stash file is thereby interpreted. The collect command has a default argument addtime=true which according to documentation "the Splunk software uses the search time range info_min_time". info_min_time is the earliest value of your time range and is written to the stash file, so in my case info_min_time was 1 hour in the past and that became the _time value of my newly indexed event in tracking_index. Every time I was testing this XML form, I was searching for the new events within the last 15 minutes, so of course they didn't appear, because the event was an hour old in the index. I changed the -1h to -1s and now the collect command indexes the events 1 second into the past which is acceptable for this application.

The second issue seems to be that I wasn't specifying a sourcetype argument for my collect command and that it defaulted to stash which seemed to cause the events to go to the summary index instead. My new command looks like this ... | collect index=tracking_index sourcetype=tracker.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...