Solved: How to insert data correctly with collect command ...

jordilazo · ‎10-10-2022

Hi,

I'm pretty new to splunk and I have a question.

I am trying to send information from one index to another with the "collect" command.

The problem is that when I send the events to the new index the field and value do not appear as in the old index (they disappear).

I am using this sentence:

index = legacy sourcetype = old_legacy | collect index= mew_legacy

But in the new index i'm not receiving the FIELD->VALUE .

johnhuang · ‎10-10-2022

Make sure you define all the fields and values to be indexed.

<base search>
| table field1 field2 field3 ... 
| collect index=<new_index>

johnhuang · ‎10-10-2022

Make sure you define all the fields and values to be indexed.

<base search>
| table field1 field2 field3 ... 
| collect index=<new_index>

jordilazo · ‎10-11-2022

Thank you. That was what was missing

How to insert data correctly with collect command (include fields and values)?