I have an instance of Splunk Enterprise installed where my search head and indexer are running on the same server. I installed and configured the Splunk Forwarder for Windows on a Windows server with a syntax error causing events to be sent to an incorrect index. I tried following the support articles for using the "collect" command to copy events from one index to another but that does not seem to be working. Additionally I double checked the syntax of the collect command directly from the Splunk documentation for the collect command and it appears to be correct. However, when I run the following search and collect my data is not copied to the destination index:
host="hostname" sourcetype="source_type" index="source_index" | collect index="destination_index" sourcetype="source_type" host="hostname"
For my particular use case, my host and sourcetype should be the same for the data in the source and destination index. I only with to copy the events to the new destination index where after I will delete them from the original index.
Is there anything I am missing here? Thanks and please let me know if anyone has any insight!
... View more