<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Eval recently collected events between indexes in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Eval-recently-collected-events-between-indexes/m-p/279704#M53523</link>
    <description>&lt;P&gt;Here is the thing:&lt;/P&gt;

&lt;P&gt;I have 2 indexes: &lt;STRONG&gt;index_original&lt;/STRONG&gt; and &lt;STRONG&gt;index_collected&lt;/STRONG&gt;. &lt;/P&gt;

&lt;P&gt;The plan is to compare/evaluate &lt;STRONG&gt;index_original&lt;/STRONG&gt; events within selected timespan (say last 2 minutes) with &lt;STRONG&gt;index_collected&lt;/STRONG&gt; events to see if there's any &lt;STRONG&gt;NEW EVENTS&lt;/STRONG&gt; (e.g. not aleady collected to &lt;STRONG&gt;index_collected&lt;/STRONG&gt;, that is) on &lt;STRONG&gt;index_original&lt;/STRONG&gt;. I do not want to make one2one copy, but I want to compare with event (_time) or other unique identifier on that index if there's event available to be collected. &lt;/P&gt;

&lt;P&gt;The target is that I have only fresh, newly collected events on &lt;STRONG&gt;index_collected&lt;/STRONG&gt; - not whole stack again and then doing filtering/dedupping. Goal is to reduce index data amounts per each collection.&lt;/P&gt;

&lt;P&gt;I have some other searches/table lookups to be done within same query, but this is the primary selector.&lt;/P&gt;

&lt;P&gt;Any idea? Would be great help!&lt;/P&gt;</description>
    <pubDate>Tue, 25 Oct 2016 11:13:58 GMT</pubDate>
    <dc:creator>strangelaw</dc:creator>
    <dc:date>2016-10-25T11:13:58Z</dc:date>
    <item>
      <title>Eval recently collected events between indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Eval-recently-collected-events-between-indexes/m-p/279704#M53523</link>
      <description>&lt;P&gt;Here is the thing:&lt;/P&gt;

&lt;P&gt;I have 2 indexes: &lt;STRONG&gt;index_original&lt;/STRONG&gt; and &lt;STRONG&gt;index_collected&lt;/STRONG&gt;. &lt;/P&gt;

&lt;P&gt;The plan is to compare/evaluate &lt;STRONG&gt;index_original&lt;/STRONG&gt; events within selected timespan (say last 2 minutes) with &lt;STRONG&gt;index_collected&lt;/STRONG&gt; events to see if there's any &lt;STRONG&gt;NEW EVENTS&lt;/STRONG&gt; (e.g. not aleady collected to &lt;STRONG&gt;index_collected&lt;/STRONG&gt;, that is) on &lt;STRONG&gt;index_original&lt;/STRONG&gt;. I do not want to make one2one copy, but I want to compare with event (_time) or other unique identifier on that index if there's event available to be collected. &lt;/P&gt;

&lt;P&gt;The target is that I have only fresh, newly collected events on &lt;STRONG&gt;index_collected&lt;/STRONG&gt; - not whole stack again and then doing filtering/dedupping. Goal is to reduce index data amounts per each collection.&lt;/P&gt;

&lt;P&gt;I have some other searches/table lookups to be done within same query, but this is the primary selector.&lt;/P&gt;

&lt;P&gt;Any idea? Would be great help!&lt;/P&gt;</description>
      <pubDate>Tue, 25 Oct 2016 11:13:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Eval-recently-collected-events-between-indexes/m-p/279704#M53523</guid>
      <dc:creator>strangelaw</dc:creator>
      <dc:date>2016-10-25T11:13:58Z</dc:date>
    </item>
    <item>
      <title>Re: Eval recently collected events between indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Eval-recently-collected-events-between-indexes/m-p/279705#M53524</link>
      <description>&lt;P&gt;Will this work?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=original OR index=collected | timechart list(_raw) as _raw by index | mvexpand _raw | where isnull(original) OR isnull(collected)
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 25 Oct 2016 13:33:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Eval-recently-collected-events-between-indexes/m-p/279705#M53524</guid>
      <dc:creator>sundareshr</dc:creator>
      <dc:date>2016-10-25T13:33:06Z</dc:date>
    </item>
  </channel>
</rss>

