Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

collect

Synopsis

Puts search results into a summary index.

Syntax

collect index [arg-options]*

Required arguments

index
Syntax: index=<string>
Description: Name of the index where Splunk should add the events. The index must exist for events to be added to it, the index is NOT created automatically.

Optional arguments

arg-options
Syntax: addtime=<bool> | file=<string> | spool=<bool> | marker=<string> | testmode=<bool> | run-in-preview=<bool>
Description: Optional arguments for the collect command.

Collect options

addtime
Syntax: addtime=<bool>
Description: If the search results you want to collect do not have a _raw field (such as results of stats, chart, timechart), specify whether to prefix a time field into each event. Specifying false means that Splunk will use its generic date detection against fields in whatever order they happen to be in the summary rows. Specifying true means that Splunk will use the search time range info_min_time (which is added by sistats) or _time. Splunk adds the time field based on the first field that it finds: info_min_time, _time, now(). Default is true.
file
Syntax: file=<string>
Description: Name of the file where to write the events. Optional, default "<random-num>_events.stash". The following placeholders can be used in the file name $timestamp$, $random$ and will be replaced with a timestamp and a random number, respectively.
".stash" needs to be added at the end of the file name when used with "index=", if not the data will be added to the main index.
marker
Syntax: marker=<string>
Description: A string, usually of key-value pairs, to append to each event written out. Optional, default is empty.
run-in-preview
Syntax: run-in-preview=<bool>
Description: Controls whether the collect command is enabled during preview generation. Generally, you do not want to insert preview results into the summary index, run-in-preview=false. In some cases, such as when a custom search command is used as part of the search, you might want to turn this on to ensure correct summary indexable previews are generated. Defaults to false.
spool
Syntax: spool=<bool>
Description: If set to true (default is true), the summary indexing file will be written to Splunk's spool directory, where it will be indexed automatically. If set to false, file will be written to $SPLUNK_HOME/var/run/splunk.
testmode
Syntax: testmode=<bool>
Description: Toggle between testing and real mode. In testing mode the results are not written into the new index but the search results are modified to appear as they would if sent to the index. (defaults to false)

Description

Adds the results of the search into the specified index. Behind the scenes, the events are written to a file whose name format is: events_random-num.stash, unless overwritten, in a directory which is watched for new events by splunk. If the events contain a _raw field, then the raw field is saved; if the events don't have a _raw field, one is constructed by concatenating all the fields into a comma separated key=value pairs list.

The collect command also works with all-time real-time searches.

Note: If the collect command is applied to events that do not have timestamps, it designates a time for all of the events using the earliest (or minimum) time of the search range. For example, if you are using a collect command that runs over the past four hours (range: -4h to +0h) it will give all of the events without a timestamp a timestamp reading four hours previous to the time the search was launched.

If collect is being used with an all-time search and the events being collected don't have timestamps, Splunk will use the current system time for the timestamps.

For more information on summary indexing of data without timestamps, see "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.

Examples

Example 1: Put "download" events into an index named "downloadcount".

eventtypetag="download" | collect index=downloadcount

See also

overlap, sichart, sirare, sistats, sitop, sitimechart, tscollect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the collect command.

PREVIOUS
cluster
  NEXT
concurrency

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters