How to add fields from one index to another with t...

Fritsch · ‎10-09-2014

I want to add fields from one Index to another, with the same sourcetype "stash"

In Index A there are fields like a, b, c, d,..

Thats what i did:

index="A" | stats count by a | sort -count | collct index="B"

The fields I get in index B are "a" and "count", but

how can I get the fields b, c, and d in the Index B?

MuS · ‎10-09-2014

Hi Fritsch,

either re-run the command for each field like:

index="A" | stats count by a | sort -count | collect index="B"
index="A" | stats count by b | sort -count | collect index="B"
index="A" | stats count by c | sort -count | collect index="B"

or try something like this:

index="A" | stats count by a, b, c, d | sort -count | collect index="B"

or without a count field:

index="A" | table a, b, c, d | collect index="B"

hope this helps ...

cheers, MuS

Fritsch · ‎10-09-2014

Hi MuS,

thanks for your answer.

This command is allmost the one i need.

With the second command, b, c, g... is counted too, but i just want those fields to display in the stats.

Have you got any other idea?

Thanks so far.

MuS · ‎10-09-2014

Have you tried the command using the table as well? This should do what you want...

How to add fields from one index to another with the same sourcetype?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor