I'm using Splunk 7.2.4(.2)
I have an issue, where i want to run this command:
index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon"
and retain the original _time from index="defaultdb_713".
I tried before to move with this command, and realized that using collect command will actually put the timestamp of the system on _time field instead of original timestamp from the old _time field.
Use the addtime option documented at https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Collect
index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon" addtime=false
I tried that command and didn't worked, like if it was ignoring command "addtime=false".
I want to mention the fact that i have read documentation on Collect, and didn't satisfied my lack of knowledge AkA didn't understand a word from that, except the "addtime=false" and "addtime=true".