Re: Copy logs from one index to another with use s...

MesutUgurlu · ‎09-16-2021

Hi,

I want to copy some logs in one index to another index with the same host information. I use collect command to do this process. But when i copy, i see that all host information is the same and write search head ip address. So I cant search by looking host information. How can I do it? Can you help me?

Thanks.

Best Regards

MesutUgurlu · ‎09-17-2021

Hi @gcusello,

Thank you for replying my question and helping.

I have variable hosts so I ran the command which was your mentioned. But I do not see the host and sourcetype fields in the new index and also orig_host field.

Thank you

Best Regards

gcusello · ‎09-17-2021

Hi @MesutUgurlu,

could you share one or two events in the new index generated by the search I hinted?

Ciao.

Giuseppe

gcusello · ‎09-17-2021

Hi @MesutUgurlu,

if the host value is fixed, you could add the "host" option in the search you're using to copy events from indexes, for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Collect

If instead it's variable, you could modify you search in something like this:

index=your_index
| table _time host sourcetype _raw
| collect index=your_new_index

in this way you'll be able to use the host field in searches but not using the host field, but the "orig_host" field.

Ciao.

Giuseppe

Copy logs from one index to another with use same host information

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation