Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Copy logs from one index to another with use same host information

MesutUgurlu
New Member
‎09-16-2021 11:42 PM

Hi,

I want to copy some logs in one index to another index with the same host information. I use collect command to do this process. But when i copy, i see that all host information is the same and write search head ip address. So I cant search by looking host information. How can I do it? Can you help me? 

Thanks.


Best Regards

Tags (1)
0 Karma
Reply

MesutUgurlu
New Member
‎09-17-2021 12:33 AM

Hi @gcusello,

Thank you for replying my question and helping.

I have variable hosts so I ran the command which was your mentioned. But  I do not see the host and sourcetype fields in the new index and also orig_host field.  

Thank you

Best Regards

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-17-2021 12:36 AM

Hi @MesutUgurlu,

could you share one or two events in the new index generated by the search I hinted?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-17-2021 12:08 AM

Hi @MesutUgurlu,

if the host value is fixed, you could add the "host" option in the search you're using to copy events from indexes, for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Collect

If instead it's variable, you could modify you search in something like this:

index=your_index
| table _time host sourcetype _raw
| collect index=your_new_index

in this way you'll be able to use the host field in searches but not using the host field, but the "orig_host" field.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...