Splunk Search

How to retain original _time from one index using collect command to another index.

bogdan_nicolesc
Communicator

Hi all,

I'm using Splunk 7.2.4(.2)

I have an issue, where i want to run this command:

index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon"

and retain the original _time from index="defaultdb_713".

I tried before to move with this command, and realized that using collect command will actually put the timestamp of the system on _time field instead of original timestamp from the old _time field.

Thank you,
Bogdan.

Tags (1)
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Use the addtime option documented at https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Collect

index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon" addtime=false

0 Karma

bogdan_nicolesc
Communicator

Hi sduff,

I tried that command and didn't worked, like if it was ignoring command "addtime=false".

I want to mention the fact that i have read documentation on Collect, and didn't satisfied my lack of knowledge AkA didn't understand a word from that, except the "addtime=false" and "addtime=true".

Thnak you,
Bogdan

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!