All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to append the only common events from index B which are already available in INDEX A?

manikanthkoti
Explorer
‎05-30-2020 07:24 AM

Hi Everyone

I have two Indexes (IndexA and IndexB)in both i have some common events. I need to append only the common events from Index B

to the IndexA Data?

Syntax Like This?

index=indexA |append [search index=indexB |Here write filter condition]

Please help me out this?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2020 10:25 PM

Hi @manikanthkoti,
your approach can work but there's le limit of 50,000 results in the subsearch and probably your search is very slow.
You can also use join command but I don't like because it's very slow.

You could also try something like this:

index=indexA OR index=indexB
| stats values(field1) AS field1 values(field2) AS field2 dc(index) AS dc_index BY common_field1 common_field2
| where dc_index=2

In this example common_field1 and common_field2 are the common fields used to group results and field1 and field2 are some fields that you need to have in your results.
In this way you haven't subsearchs so no limits in results and this search is faster than the others two.

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎05-30-2020 02:29 PM

use join instead of append

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...