We have index with access logs from multiple hosts and systems with different sourcetype.
When i trying to add information from dynamic lookup to events and save them in summary-index with **collect** command i can't save original information about source, sourcetype and host, because collect command arguments takes values as text, but not field value.
For example, search:
index=access sourcetype=*_type_access |
lookup xxx AS yyy |
collect index=enriched_access sourcetype=sourcetype
saves results with sourcetype equal "sourcetype", but not original sourcetype.
When i trying to rename sourcetype, result the same.
Where i wrong?