Documentation > Splunk > Search Reference > collect

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

collect

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

collect

Synopsis

Puts search results into a summary index.

Syntax

collect index [arg-options]*

Required arguments

index
Syntax: index=<string>
Description: Name of the index where Splunk should add the events. The index must exist for events to be added to it, the index is NOT created automatically.

Optional arguments

arg-options
Syntax: addtime | file | spool | marker | testmode
Description: Optional arguments for the collect command.

Collect options

addtime
Syntax: addtime=<bool>
Description: Specify whether to prefix a time into each event if the event does not contain a _raw field. Splunk adds the time based on the first field that it finds: info_min_time, _time, now(). Default is true.
file
Syntax: file=<string>
Description: Name of the file where to write the events. Optional, default "<random-num>_events.stash". The following placeholders can be used in the file name $timestamp$, $random$ and will be replaced with a timestamp and a random number, respectively.
marker
Syntax: marker=<string>
Description: A string, usually of key-value pairs, to append to each event written out. Optional, default is empty.
spool
Syntax: spool=<bool>
Description: If set to true (default is true), the summary indexing file will be written to Splunk's spool directory, where it will be indexed automatically. If set to false, file will be written to $SPLUNK_HOME/var/run/splunk.
testmode
Syntax: testmode=<bool>
Description: Toggle between testing and real mode. In testing mode the results are not written into the new index but the search results are modified to appear as they would if sent to the index. (defaults to false)

Description

Adds the results of the search into the specified index. Behind the scenes, the events are written to a file whose name format is: events_random-num.stash, unless overwritten, in a directory which is watched for new events by splunk. If the events contain a _raw field then the raw field is saved, if they don't a _raw field is constructed by concatenating all the fields into a comma separated key=value pairs list.

Examples

Example 1: Put "download" events into an index named "downloadcount".

eventtypetag="download" | collect index=downloadcount

See also

overlap, sichart, sirare, sistats, sitop, sitimechart

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the collect command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/Collect"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!