https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/642040#M222408 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;Do you have any examples/sample search to share for my requirement.</P> Tue, 02 May 2023 17:21:47 GMT iamsplunker 2023-05-02T17:21:47Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/640668#M221970 <P>I wanted to reconcile the data from 2 indexes say index=A and index=B both indexes have some common fileds like field1,field2,field3,field4,field5</P> <P>at the end I wanted to compare the data from index A and index B side by side with time span of 1s.</P> <P>The report should display _time index1 index2 source field1 field2 field3 field4 field5 and difference between the 2 indexes eventcount or any other.</P> Tue, 02 May 2023 17:56:39 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/640668#M221970 iamsplunker 2023-05-02T17:56:39Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/640683#M221976 <P>Hi,&nbsp;</P><P>1) is this an one time report task or you want this report to be run weekly/monthly, etc</P><P>if you want to run this report weekly/monthly, then, summary indexing (<A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Usesummaryindexing" target="_self">link</A>), report acceleration(<A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Manageacceleratedsearchsummaries" target="_self">link</A>) will help you very good.&nbsp;</P><P>2) how big the two indexes are..&nbsp;</P> Wed, 19 Apr 2023 19:18:43 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/640683#M221976 inventsekar 2023-04-19T19:18:43Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/640685#M221978 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;, Thanks for your response. For now it's a one time report. I'm looking for a sample search to accomplish this.</P><P>we have about ~ 3-5K events per day</P> Wed, 19 Apr 2023 19:34:42 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/640685#M221978 iamsplunker 2023-04-19T19:34:42Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/642040#M222408 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;Do you have any examples/sample search to share for my requirement.</P> Tue, 02 May 2023 17:21:47 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-reconcile-the-data-from-2/m-p/642040#M222408 iamsplunker 2023-05-02T17:21:47Z