Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Copy logs from one index to another with use same host information

MesutUgurlu
New Member
‎09-16-2021 11:42 PM

Hi,

I want to copy some logs in one index to another index with the same host information. I use collect command to do this process. But when i copy, i see that all host information is the same and write search head ip address. So I cant search by looking host information. How can I do it? Can you help me? 

Thanks.


Best Regards

Tags (1)
0 Karma
Reply

MesutUgurlu
New Member
‎09-17-2021 12:33 AM

Hi @gcusello,

Thank you for replying my question and helping.

I have variable hosts so I ran the command which was your mentioned. But  I do not see the host and sourcetype fields in the new index and also orig_host field.  

Thank you

Best Regards

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-17-2021 12:36 AM

Hi @MesutUgurlu,

could you share one or two events in the new index generated by the search I hinted?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-17-2021 12:08 AM

Hi @MesutUgurlu,

if the host value is fixed, you could add the "host" option in the search you're using to copy events from indexes, for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Collect

If instead it's variable, you could modify you search in something like this:

index=your_index
| table _time host sourcetype _raw
| collect index=your_new_index

in this way you'll be able to use the host field in searches but not using the host field, but the "orig_host" field.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...