Solved: How do you append data from a different source in ...

maheshsat · ‎11-05-2018

I have one Index that has two different sources. One source has current data and another has historical data. Both have the same fields. I want to append data current in historical data incase there are any changes in current data by user that should be reflected in historical data. I want one side current data in column, & on the other side, there would be historical data in another column.

Trying below command

source="historical" PERIOD="Q1" YEAR="2012" | Table PERIOD, YEAR | append [index=prod source="current"  PERIOD="Q2" YEAR="2012" | Table PERIOD, YEAR]

Akumar294 · ‎11-06-2018

Please try like below:

index="your index" source="historical" PERIOD="Q1" YEAR="2012" 
|table PERIOD, YEAR 
|join [search index=prod source="current" PERIOD="Q2" YEAR="2012" 
|table PERIOD, YEAR]

View solution in original post

Akumar294 · ‎11-06-2018

Please try like below:

index="your index" source="historical" PERIOD="Q1" YEAR="2012" 
|table PERIOD, YEAR 
|join [search index=prod source="current" PERIOD="Q2" YEAR="2012" 
|table PERIOD, YEAR]

Akumar294 · ‎11-06-2018

If above solution resolved your problem, can you please accept the answer?

How do you append data from a different source in the same Index?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!