I have this code which is intended to just write one event to a tracking index when a user clicks a button:TrueOk
| rest /my_custom_endpoint| fields field1,field2| join [search ...| stats count ] | collect index=tracking_index-1hnowresultsFalseresults
So, a user will click `OK` then the search runs and it displays, but the `| collect index=tracking_index` does not work. Any suggestions?
BTW, `| rest /my_custom_endpoint| fields field1,field2| join [search ...| stats count ] | collect index=tracking_index` works fine from the search app, so I am assuming that my problem is in the XML.
**Testing update**: There were no stash files in `var/spool`, so I set `spool=false` and the stash was written to `var/run`, so that's weird. It indicates the collect might be working partially.
Another update: I searched `index=* sourcetype=stash` and my events are going into `summary` instead of `tracking_index`. So, that seems like the `collect` is ignoring the `index=` argument. Weirder still. :)
↧