Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

tscollect

The tscollect command is an internal command used to save search results into a tsidx formatted file. Currently, it is an experimental command and not supported by Splunk. No data you collect with this command will be compatible with later versions of Splunk Enterprise.

The tscollect command uses indexed fields to create time series index (tsidx) files in a namespace that you define. The result tables in these files are a subset of the data that you've already indexed. This then enables you to use the tstats command to search and report on these tsidx files instead of searching raw data. Because you are searching on a subset of the full index, the search should complete faster than it would otherwise.

tscollect can create multiple tsidx files in the same namespace. It will begin a new tsidx file when it determines that the one it's currently creating has gotten big enough.

Synopsis

Writes results into tsidx file(s) for later use by tstats command.

Important: The 'indexes_edit' capability is required to run this command.

Syntax

... | tscollect namespace=<string> [squashcase=<bool>] [keepresults=<bool>]

Optional arguments

keepresults
Syntax: keepresults = true | false
Description: If true, tscollect outputs the same results it received as input. If false, tscollect returns the count of results processed (this is more efficient since it does not need to store as many results). Defaults to false.
namespace
Syntax: namespace=<string>
Description: Define a location for the tsidx file(s). If namespace is provided, the tsidx files are written to a directory of that name under the main tsidxstats directory (that is, within $SPLUNK_DB/tsidxstats). These namespaces can be written to multiple times to add new data. If namespace is not provided, the files are written to a directory within the job directory of that search, and will live as long as the job does. This namespace location is also configurable in index.conf, with the attribute tsidxStatsHomePath.
squashcase
Syntax: squashcase = true | false
Description: Specify whether or not the case for the entire field::value tokens are case sensitive when it is put into the lexicon. To create indexed field tsidx files similar to Splunk's, set squashcase=true for results to be converted to all lowercase. Defaults to false.

Examples

Example 1: Write the results table to tsidx files in namespace foo.

... | tscollect namespace=foo

Example 2: Retrieve events from the main index and write the values of field foo to tsidx files in the job directory.

index=main | fields foo | tscollect

See also

collect, stats, tstats

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the tscollect command.

PREVIOUS
runshellscript
  NEXT
tstats

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters