I have a saved search that is executed every minute and generates data. I have a "collect index=" command in the search to save the generated data to an index.
My observation is that the index is collecting data, but with the incorrect value for the _time field of the index.
What is causing the invalid timestamp being recorded in _time field? How can I fix this?
Please let me know.
Setting _time=now() and collecting the events in the index is setting the _time correctly to the current time.
But not sure if this is how collect should be working.
Some more information on the issue we are facing.
Seems like the _time is being set to latestTime of the search.
This is not right.