Search command: collect

Summary indexing uses the collect command to place the results of a saved search into a summary index so you can search them later. You can also use | collect in any search to place search results in any index. For example, if you create a reports from a search, use | collect to index them so that you can search across all of the reports uniformly, or create a larger aggregate report from multiple reports.

Before collect indexes search results, it saves them as events in a file ($SPLUNK_HOME/var/spool/splunk/events_random-number.stash by default). You can override the default file name and location using the file and path options. Use other collect options to override other default settings.

Syntax

collect collect-index [collect option],...

Arguments

collect-index index=string Specify the name of the index to add search results to. Note: The specified index must already exist. Configure indexes in indexes.conf.

collect option

collect option = addtime | file | path | marker | testmode Specify options to override default settings of collect.

addtime addtime= (T | F) (default=T) Set to true (T) to tell Splunk to prepend a timestamp to events that have no extractable timestamp in their _raw field.

file file=string (default=events_random-number.stash) Specify the file to write events to.

marker marker=string (default=" ") Specify a string of field/value pairs (comma-delimited list) to append to each event that's indexed.

path path=string (default=$SPLUNK_HOME/var/spool/splunk/) Specify the path to store the file that events are written to. Note: Splunk must have this path set as a data input for events in the file to be indexed.

testmode testmode=(T | F) (default=F) Set to true (T) to put collect in test mode. In test mode, search results aren't written into the new index, but they are still rendered in Splunk Web as they'd appear if they were indexed.

Examples

Splunk Web:
This example searches Web server data and builds a report based on client IPs. The report is then indexed into the index WebReports.

host=webserver1 eventtype=banner_access NOT eventtypetag=bot NOT eventtypetag=images NOT eventtype=splunk_IPs NOT eventtype=10dot_IP_range NOT eventtypetag=invalid_page | stats distinct_count(clientip) as uniqueIPs,  max(_time), min(_time) | eval site="update_banners" | collect index=WebReports

This example searches Web server data for raw downloads and indexes the results in the index downloadcount.

"eventtypetag=download" NOT eventtypetag=bot NOT eventtypetag=internal | collect index=downloadcount

Previous: Search command: addinfo | Next: Search command: eventstats

Comments

No comments have been submitted.

collect option =	addtime \| file \| path \| marker \| testmode	Specify options to override default settings of `collect`.
addtime	addtime= (T \| F) (default=T)	Set to true (T) to tell Splunk to prepend a timestamp to events that have no extractable timestamp in their `_raw` field.
file	file=string (default=`events_random-number.stash`)	Specify the file to write events to.
marker	marker=string (default=" ")	Specify a string of field/value pairs (comma-delimited list) to append to each event that's indexed.
path	path=string (default=`$SPLUNK_HOME/var/spool/splunk/`)	Specify the path to store the file that events are written to. Note: Splunk must have this path set as a data input for events in the file to be indexed.
testmode	testmode=(T \| F) (default=F)	Set to true (T) to put `collect` in test mode. In test mode, search results aren't written into the new index, but they are still rendered in Splunk Web as they'd appear if they were indexed.