Re: How to retain original _time from one index us...

bogdan_nicolesc · ‎04-10-2019

Hi all,

I'm using Splunk 7.2.4(.2)

I have an issue, where i want to run this command:

index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon"

and retain the original _time from index="defaultdb_713".

I tried before to move with this command, and realized that using collect command will actually put the timestamp of the system on _time field instead of original timestamp from the old _time field.

Thank you,
Bogdan.

sduff_splunk · ‎04-10-2019

Use the addtime option documented at https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Collect

index="defaultdb_713" sourcetype="winnetmon" | collect index="webtest1004" sourcetype="WinNetMon" addtime=false

bogdan_nicolesc · ‎04-11-2019

Hi sduff,

I tried that command and didn't worked, like if it was ignoring command "addtime=false".

I want to mention the fact that i have read documentation on Collect, and didn't satisfied my lack of knowledge AkA didn't understand a word from that, except the "addtime=false" and "addtime=true".

Thnak you,
Bogdan

How to retain original _time from one index using collect command to another index.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms