All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to append the only common events from index B which are already available in INDEX A?

manikanthkoti
Loves-to-Learn Everything
‎05-30-2020 07:24 AM

Hi Everyone

I have two Indexes (IndexA and IndexB)in both i have some common events. I need to append only the common events from Index B

to the IndexA Data?

Syntax Like This?

index=indexA |append [search index=indexB |Here write filter condition]

Please help me out this?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2020 10:25 PM

Hi @manikanthkoti,
your approach can work but there's le limit of 50,000 results in the subsearch and probably your search is very slow.
You can also use join command but I don't like because it's very slow.

You could also try something like this:

index=indexA OR index=indexB
| stats values(field1) AS field1 values(field2) AS field2 dc(index) AS dc_index BY common_field1 common_field2
| where dc_index=2

In this example common_field1 and common_field2 are the common fields used to group results and field1 and field2 are some fields that you need to have in your results.
In this way you haven't subsearchs so no limits in results and this search is faster than the others two.

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎05-30-2020 02:29 PM

use join instead of append

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...