I want to use the collect command and want to push the Host, source and source-type coming from the Original index.
index=sm sourcetype=mysqld
| eval host1=host
| eval index1=index
| eval sourcetype1=sourcetype
| eval source1=source
| collect index="test" source=source1
It is pushing "source1" string instead of its actual value any idea how to send the actual dynamic value ?
host, source and sourcetype attributes of the collect command are string attributes, so I don't think you can put field references in there. Doesn't collect retain the existing host and source values anyway? Sourcetype will be changed to stash
by default.