Summary Index Issues:
Issue:
Timestamp is not extracted properly for the summary index (JSON data copied using collect command)
index=web_idx ......
| collect index="web_summary_idx"
Root cause:
Default sourcetype of the copied events is "stash". It may not be able to recognize the timestamps in JSON data correctly, so current time is assigned to the events.
index=web_idx ......
| collect index="web_summary_idx"
Solution:
Specify the original sourcetype when using the "collect" command with JSON events.
index=web_idx ...
collect index="web_summary_idx" sourcetype="web_json"
Note: Changing the sourcetype from "stash" to a different one, leads to license consumption.