https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437127#M3891 <P>thank you!!</P> Thu, 02 May 2019 13:18:42 GMT dreadangel 2019-05-02T13:18:42Z https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437125#M3889 <PRE><CODE>index=* sourcetype="..." ... | eval new_field="new_value-".old_field, new_field_id="[some new id]".old_field_id | table * | collect index=inx_copy_data </CODE></PRE> <P>Straightforward task - to select events, filter them, add some new fields, copy the results to another index. <BR /> But in <STRONG>inx_copy_data</STRONG> not all data is copied - I can't find the new fields (new_field, new_field_id) nor the old ones (old_field, old_field_id).<BR /> Do I miss something?</P> Wed, 30 Sep 2020 00:19:56 GMT https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437125#M3889 dreadangel 2020-09-30T00:19:56Z https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437126#M3890 <P>Hi @dreadangel</P> <P>Use <CODE>stats</CODE> instead of <CODE>table *</CODE> because using <CODE>table</CODE>doesn't transform the results and <CODE>collect</CODE> would still get the raw data.</P> <P>something like this should do the trick : </P> <PRE><CODE>index=* sourcetype="..." ... | eval new_field="new_value-".old_field, new_field_id="[some new id]".old_field_id | stats values(*) as * by _time | collect index=inx_copy_data </CODE></PRE> <P>Reference here :<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Collect">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Collect</A></P> <P>Note: <BR /> Summary indexing counts against ur license so careful when using it.</P> <P>Cheers,<BR /> David</P> Thu, 02 May 2019 12:45:02 GMT https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437126#M3890 DavidHourani 2019-05-02T12:45:02Z https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437127#M3891 <P>thank you!!</P> Thu, 02 May 2019 13:18:42 GMT https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437127#M3891 dreadangel 2019-05-02T13:18:42Z https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437128#M3892 <P>so the big problem is due to <STRONG>_raw</STRONG> field, correct? Is any way to avoid this? Or I should omit <STRONG>_raw</STRONG> fields from collect command ?</P> Tue, 07 May 2019 08:54:46 GMT https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437128#M3892 dreadangel 2019-05-07T08:54:46Z https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437129#M3893 <P>yeah, sure you can omit it to avoid having the same info multiple times. It's actually best to replace that * with the exact fields you need</P> Tue, 07 May 2019 10:30:19 GMT https://community.splunk.com/t5/Knowledge-Management/Is-collect-command-working-correctly/m-p/437129#M3893 DavidHourani 2019-05-07T10:30:19Z