Solved: How to move summary index to another summary index...

LearningGuy · ‎05-28-2024

Hello,
I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index.
Is it possible to add new field into past data in a summary index?

If it's not possible ,
How to move summary index to another summary index with updated fields?
Thank you

Below is an example

index=summary report="test_1"

_time	Order	Customer
05/01/2024	Pizza	Customer1
05/01/2024	Hamburger	Customer2
05/02/2024	Spaghetti	Customer3
05/02/2024	Pizza	Customer4
05/03/2024	Noodle	Customer1
05/03/2024	Rice	Customer2

index=summary report="test_2"

_time	Order	Customer	Phone
05/01/2024	Pizza	Customer1	1111
05/01/2024	Hamburger	Customer2	2222
05/02/2024	Spaghetti	Customer3	3333
05/02/2024	Pizza	Customer4	4444
05/03/2024	Noodle	Customer1	1111
05/03/2024	Rice	Customer2	2222

gcusello · ‎05-30-2024

Hi @LearningGuy,

sorry there was a misunderstanding: it isn't possible to update un index-

It's possible to display the index data enriched with the phone by a lookup.

Otherwise, it's possible to save the events of the old index in a new one, enriched also with phone number.

Ciao.

Giuseppe

View solution in original post

LearningGuy · ‎05-30-2024

Hi @gcusello

When you said it's possible to add new field into past data in a summary index, is it a new entry/insert or an update ? In my example, Is it possible to update (not insert) "Phone" field in "test_1" past data (_time/timestamp is in the past) ?
Do I need to have permission to perform an update to an index?
I think I only can perform insert, but not delete or update

Your sample query is moving new data to the new index "test_2", not to same "test_1" past data

if you have these information in a lookup, way do you need to save it in the index?
the main_index has a large set of data, it's very slow doing a lookup in dashboard, that's why i filtered necessary data and moved it to summary index

Past:

index=main_index + csv data ===>   index=summary   report="test1"

Now:
I updated csv data with a phone field

index=main_index + csv data ===>   index=summary   report="test2"

Can I update (not insert) only "phone" field from "test2" to "test1" with Past timestamp?
OR
Can I update (not insert) only "phone" field from "main index+CSV" to "test1" with Past Timestamp?

index=main_index + csv data  (NEW) ===>   index=summary   report="test1"  (PAST Timestamp)

Thank you

gcusello · ‎05-30-2024

Hi @LearningGuy,

sorry there was a misunderstanding: it isn't possible to update un index-

It's possible to display the index data enriched with the phone by a lookup.

Otherwise, it's possible to save the events of the old index in a new one, enriched also with phone number.

Ciao.

Giuseppe

gcusello · ‎05-28-2024

Hi @LearningGuy ,

yes it's possible.

You have to run a search to extract the data from the old summary and save the new one in the new summary, or also in the same one.

there's a thing that I don't understand: how do you take the values for the additional field?

if it's from a lookup, you can do something like this:

index=summary   report="test_1"
| lookup your_lookup.csv Customer OUTPUT Phone
| eval report="test_2"
| table _time Order Customer Phone
| collect index=summary

but if you have these information in a lookup, way do you need to save it in the index? you cau use it every time using the lookup command, the only reason could be that your Phone number could change.

Ciao.

Giuseppe

How to move summary index to another summary index with updated fields?

data

index

indexer

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?