How to retain original _time from one index using ...

bogdan_nicolesc · ‎04-10-2019

Hi all,

I'm using Splunk 7.2.4(.2)

I have an issue, where i want to run this command:

index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon"

and retain the original _time from index="defaultdb_713".

I tried before to move with this command, and realized that using collect command will actually put the timestamp of the system on _time field instead of original timestamp from the old _time field.

Thank you,
Bogdan.

sduff_splunk · ‎04-10-2019

Use the addtime option documented at https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Collect

index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon" addtime=false

bogdan_nicolesc · ‎04-11-2019

Hi sduff,

I tried that command and didn't worked, like if it was ignoring command "addtime=false".

I want to mention the fact that i have read documentation on Collect, and didn't satisfied my lack of knowledge AkA didn't understand a word from that, except the "addtime=false" and "addtime=true".

Thnak you,
Bogdan

How to retain original _time from one index using collect command to another index.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!