Knowledge Management

Missing fields after collect command is ran on a search

arpit_arora
Explorer

Hello, I have the following search query which retrieves the metadata for all the splunk search queries ran in the last hour.

I am also using 'collect' to push this data into the splunkmetrics index with sourcetype 'queries'.

My issue is that if I run this without the collect command at the end, I can see all the 13 fields in a table format, as one would expect. However when I 'collect' these fields in the splunkmetrics index, I see that only a few fields are put into the splunkmetrics index. In other words, I see that my splunkmetrics summary index does not contain all the fields which are returned by the preceding query.

What am I doing wrong here?

===========================================================================================

index=_audit action=search sourcetype=audittrail search_id!="'rsa_*" earliest=-1h@h latest=-0h@h |

eval user = if(user="n/a", null(), user) |

stats min(_time) as _time,
max(total_run_time) as total_run_time,
values(info) as info,
first(host) as searchhead,
values(search) as search,
values(savedsearch_name) as savedsearch_name,
values(user) as user,
values(event_count) as event_count,
values(result_count) as result_count,
values(available_count) as available_count,
values(scan_count) as scan_count,
values(drop_count) as drop_count,
values(is_realtime) as is_realtime

by search_id

| where (isnotnull(search) AND search!="") OR (isnotnull(savedsearch_name) AND savedsearch_name!="") | collect index=splunkmetrics sourcetype=queries

===========================================================================================

robertosegantin
Path Finder

I have Splunk Enterprise 6.6.1 and I've got the same issue.
Until I have the solution, I've found this workaround:

index=splunkmetrics sourcetype=queries
| fields _raw 
| KV

Which Splunk version are you using?

0 Karma

p_gurav
Champion

which fields are missing? Because I can see all fields in splunkmetrics index after running query. Are you searching in "Verbose mode"?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...