Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing fields after collect command is ran on a search

arpit_arora
Explorer
‎03-13-2018 04:37 PM

Hello, I have the following search query which retrieves the metadata for all the splunk search queries ran in the last hour.

I am also using 'collect' to push this data into the splunkmetrics index with sourcetype 'queries'.

My issue is that if I run this without the collect command at the end, I can see all the 13 fields in a table format, as one would expect. However when I 'collect' these fields in the splunkmetrics index, I see that only a few fields are put into the splunkmetrics index. In other words, I see that my splunkmetrics summary index does not contain all the fields which are returned by the preceding query.

What am I doing wrong here?

===========================================================================================

index=_audit action=search sourcetype=audittrail search_id!="'rsa_*" earliest=-1h@h latest=-0h@h |

eval user = if(user="n/a", null(), user) |

stats min(_time) as _time,
max(total_run_time) as total_run_time,
values(info) as info,
first(host) as searchhead,
values(search) as search,
values(savedsearch_name) as savedsearch_name,
values(user) as user,
values(event_count) as event_count,
values(result_count) as result_count,
values(available_count) as available_count,
values(scan_count) as scan_count,
values(drop_count) as drop_count,
values(is_realtime) as is_realtime

by search_id

| where (isnotnull(search) AND search!="") OR (isnotnull(savedsearch_name) AND savedsearch_name!="") | collect index=splunkmetrics sourcetype=queries

===========================================================================================

Reply

robertosegantin
Path Finder
‎05-14-2018 03:19 AM

I have Splunk Enterprise 6.6.1 and I've got the same issue.
Until I have the solution, I've found this workaround:

index=splunkmetrics sourcetype=queries
| fields _raw 
| KV

Which Splunk version are you using?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 11:32 PM

which fields are missing? Because I can see all fields in splunkmetrics index after running query. Are you searching in "Verbose mode"?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...