https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361645#M65941 <P>Hey</P> <P>I believe that your best solution is to use eventgen.</P> <P>The reason the field cluster doesn't show in the mock index is that collect gets only the _raw data into the new index (and allows you to change host and source and sourcetype which are metada fields), and cluster is a search time created field.</P> <P>Collect is not intended for generating "sample" data. Check eventgen</P> <P><A href="https://splunkbase.splunk.com/app/1924/">https://splunkbase.splunk.com/app/1924/</A></P> Fri, 16 Mar 2018 16:12:50 GMT tiagofbmm 2018-03-16T16:12:50Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361644#M65940 <P>I'm trying to perform a collect with the intention of making my data more heterogeneous. Meaning if I have data from only one host, I want to collect the same data but with a different host and some other different fields. Like _time for instance.</P> <PRE><CODE>index=mock | eval _time = _time + 86400, cluster = "EDS" | collect index=mock host = "new_host" </CODE></PRE> <P>So the new data comes with the same _raw and new host, but the _time field stays the same as the original, meaning I can't collect the data and tell that it belongs to the next day. The field cluster also does not get collected. Any ideas?</P> Fri, 16 Mar 2018 16:02:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361644#M65940 greggz 2018-03-16T16:02:20Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361645#M65941 <P>Hey</P> <P>I believe that your best solution is to use eventgen.</P> <P>The reason the field cluster doesn't show in the mock index is that collect gets only the _raw data into the new index (and allows you to change host and source and sourcetype which are metada fields), and cluster is a search time created field.</P> <P>Collect is not intended for generating "sample" data. Check eventgen</P> <P><A href="https://splunkbase.splunk.com/app/1924/">https://splunkbase.splunk.com/app/1924/</A></P> Fri, 16 Mar 2018 16:12:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361645#M65941 tiagofbmm 2018-03-16T16:12:50Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361646#M65942 <P>Hi @greggz, </P> <P>I'm not sure <CODE>cluster</CODE> field directly indexed in index but I have tried to add it in <CODE>_raw</CODE>. Can you please try below search?</P> <PRE><CODE>index=mock | eval _time = _time + 86400, _raw=_raw." cluster=\"EDS\"" | collect index=mock host = "new_host" </CODE></PRE> <P>Thanks</P> Fri, 16 Mar 2018 16:18:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361646#M65942 kamlesh_vaghela 2018-03-16T16:18:28Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361647#M65943 <P>In my experience with Splunk 6.6.x, the time fields applied via <CODE>collect</CODE> will default to the value of <CODE>info_min_time</CODE>, which is the earliest time of the search window. This is consistent with <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Collect">the documentation about collect</A>.</P> <P>I've had good luck using the <CODE>addtime=false</CODE> option with collect. You might play with that and see if it works for you. I've had conversations with other folks for whom it didn't work, but we weren't able to trace the root cause.</P> Fri, 16 Mar 2018 16:57:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-collect-to-generate-more-sample-data/m-p/361647#M65943 elliotproebstel 2018-03-16T16:57:56Z