Archive

How do you append data from a different source in the same Index?

maheshsat
Explorer

I have one Index that has two different sources. One source has current data and another has historical data. Both have the same fields. I want to append data current in historical data incase there are any changes in current data by user that should be reflected in historical data. I want one side current data in column, & on the other side, there would be historical data in another column.

Trying below command

source="historical" PERIOD="Q1" YEAR="2012" | Table PERIOD, YEAR | append [index=prod source="current"  PERIOD="Q2" YEAR="2012" | Table PERIOD, YEAR]
Tags (1)
0 Karma
1 Solution

Akumar294
Path Finder

Please try like below:

index="your index" source="historical" PERIOD="Q1" YEAR="2012" 
|table PERIOD, YEAR 
|join [search index=prod source="current" PERIOD="Q2" YEAR="2012" 
|table PERIOD, YEAR]

View solution in original post

0 Karma

Akumar294
Path Finder

Please try like below:

index="your index" source="historical" PERIOD="Q1" YEAR="2012" 
|table PERIOD, YEAR 
|join [search index=prod source="current" PERIOD="Q2" YEAR="2012" 
|table PERIOD, YEAR]

View solution in original post

0 Karma

Akumar294
Path Finder

If above solution resolved your problem, can you please accept the answer?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!