I am searching yesterday's data and trying to insert it into an index for reporting purposes. I need to take multiple indexed events with various date/time fields and override them with the current date/time for the summary index table. The following search is a very simplified version that illustrates the issue.
index=blah
| eval _time=now()
| collect index=test
When I do the search, it inserts yesterday's date/time into the summary index _time field. Is there any way to reassign this?
Splunk 6.6.3.
↧