How to add fields from one index to another with t...

Fritsch · ‎10-09-2014

I want to add fields from one Index to another, with the same sourcetype "stash"

In Index A there are fields like a, b, c, d,..

Thats what i did:

index="A" | stats count by a | sort -count | collct index="B"

The fields I get in index B are "a" and "count", but

how can I get the fields b, c, and d in the Index B?

MuS · ‎10-09-2014

Hi Fritsch,

either re-run the command for each field like:

index="A" | stats count by a | sort -count | collect index="B"
index="A" | stats count by b | sort -count | collect index="B"
index="A" | stats count by c | sort -count | collect index="B"

or try something like this:

index="A" | stats count by a, b, c, d | sort -count | collect index="B"

or without a count field:

index="A" | table a, b, c, d | collect index="B"

hope this helps ...

cheers, MuS

Fritsch · ‎10-09-2014

Hi MuS,

thanks for your answer.

This command is allmost the one i need.

With the second command, b, c, g... is counted too, but i just want those fields to display in the stats.

Have you got any other idea?

Thanks so far.

MuS · ‎10-09-2014

Have you tried the command using the table as well? This should do what you want...

How to add fields from one index to another with the same sourcetype?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation