I want to extract certain events into the same index with a different sourcetype, this is simple, but I would like to change the timestamp of the collect event to server time.
This is the search I am using but it keeps the original timestamp of the event.
index="cartt" | tail 100 | collect addtime=false index=cartt host=CARTT source=cartt_deleted sourcetype=cartt_deleted
Why do you want to change the sourcetype?
You can use [source:]
in props.conf
to create search time customizations for summary data.
How about this?
index="cartt" | tail 100 | eval _time=now() | collect addtime=false index=cartt host=CARTT source=cartt_deleted sourcetype=cartt_deleted