USAGE OF SPLUNK COMMANDS: COLLECT

USAGE OF SPLUNK COMMANDS: COLLECT

Hi Guys!!!
Today we have come with a very useful command i.e. “collect” command.
So, let’s start.
Usage of “collect” command:
Using the “collect” command the result of any search can be sent to a summary index.
Eg: Here, we will use a summary index named “test_summary”, which we already have created.

Syntax of “collect” command:

| collect index=<string> [marker=<string> | test_mode=<bool>]

“collect” command argument’s description:

index=<string>: Here, you have to mention the summary index name where you want to store the result from the search query. The index is not created automatically, you have to create this index before adding the results to it.
NOTE: “index” is the only required argument to be used with the “collect” command.
marker=<string>: If you want to add or append any string to each of the events written in the summary index, you can use this.
This is like a key-value pair. Each key-value pair must be separated by a comma and space. This can be helpful to search any particular event with the “marker” value.
testmode=<bool>: If this sets to true, the results are not added in the summary index but they are modified to appear as they would look like if sent to the index. If false, the results will directly add to the index. The default value is false.

You can also know about :  Difference between STREAMSTATS and EVENTSTATS command in Splunk

Example: 1
Please, see the below query,

index=_internal
| stats count by method
| collect index=test_summary

Explanation:
Here, we have used “_internal” index.
| stats count by method -> This we have used to get the count of each value of the “method” field.
| collect index=test_summary  -> This will collect the result set of (“index=_internal | stats count by method”) in the “test_summary” summary index in the form of events. Please see the below image how it looks like.

Explanation:
As, you can see in the above image we have used the below query,

index=test_summary

Here, we can see 3 events that have the information of the 3 statistics, we got from the previous query, and also you can see we can see the field values of the “method” field and their “count” with some other information in the events. Now, let’s take an event and discuss what all are the information we get in each event,

07/22/2020 15:55:08 +0530 -> This is the eventtime.
info_min_time=1595413508.000 -> In “info_min_time”, we can see the earliest time (in epoch time format) of the query we have run while sending the data in the “test_summary” index.
info_max_time=1595414408.000 -> In “info_max_time”, we can see the latest time (in epoch time format) of the query we have run while sending the data in the “test_summary” index.
info_search_time=1595414408.556 -> In “info_search_time”, we can see the time (in epoch time format) when we have run the query while sending the data in the “test_summary” index.
count=1 -> This is the field “count” and it’s the value from the result set of query which we have used.
method=DELETE -> This is the field “method” and it’s the value from the result set of query which we have used.

You can also know about :  Eval vs Fieldformat

Example: 2
Please, see the below query,

index=_audit
| stats count by info
| collect index=test_summary  marker=search_name=info_count

Explanation:
Here, we have used “_audit” index.
| stats count by info -> This we have used to get the count of each value of the “method” field.
| collect index=test_summary marker=search_name=info_count -> This will collect the result set of (“index=_audit | stats count by method”) in the “test_summary” summary index in the form of events and also as, we have used “marker=search_name=info_count”, this will append “search_name=info_count” string to each of the events from this resultset. Please see the below image how it looks like,

Explanation:
As you can see in the above image we have used the below query,

index=test_summary
Here, we can see 2 events that have the information of the 2 statistics, we got from the previous query, and also you can see we can see the field values of the “info” field and their “count” in the events.
Also, you can see, the marker “search_name=info_count” is added to each of these events. Using marker can be helpful to search specific events.

Example: 3
Please, see the below query,

index=_internal
| stats count by status
| collect index=test_summary testmode=true

Explanation:
Here, we have used “_internal” index.
| stats count by method -> This we have used to get the count of each value of the “method” field.
| collect index=test_summary  testmode=true -> As we have used testmode=true the data will not send to the index but they are modified to appear as they would look like if sent to the index [As you can see on the above image].
This can be helpful if before sending the data to the summary index, you will be able to see how the events will look like.

You can also know about :  Types of Command in Splunk - Splunk Visualization Commands

Happy Splunking !!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.