Re: Copy logs from one index to another with use s...

MesutUgurlu · ‎09-16-2021

Hi,

I want to copy some logs in one index to another index with the same host information. I use collect command to do this process. But when i copy, i see that all host information is the same and write search head ip address. So I cant search by looking host information. How can I do it? Can you help me?

Thanks.

Best Regards

MesutUgurlu · ‎09-17-2021

Hi @gcusello,

Thank you for replying my question and helping.

I have variable hosts so I ran the command which was your mentioned. But I do not see the host and sourcetype fields in the new index and also orig_host field.

Thank you

Best Regards

gcusello · ‎09-17-2021

Hi @MesutUgurlu,

could you share one or two events in the new index generated by the search I hinted?

Ciao.

Giuseppe

gcusello · ‎09-17-2021

Hi @MesutUgurlu,

if the host value is fixed, you could add the "host" option in the search you're using to copy events from indexes, for more infos see at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Collect

If instead it's variable, you could modify you search in something like this:

index=your_index
| table _time host sourcetype _raw
| collect index=your_new_index

in this way you'll be able to use the host field in searches but not using the host field, but the "orig_host" field.

Ciao.

Giuseppe

Copy logs from one index to another with use same host information

other

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today