- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: I would like to create a new index with some e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Topic: I would like to create a new index with some extract fields which are not in my initial index
Description :
I have an index and I create new fields with a python script
index "A"
name
last_name
otherinformation
search : index="A" | script python extractname
name last_name adress zipcode
What I need ?
I would like create a new index with all the columns .
search : index="A" | script python extractname | table * | collect index="B"
but in my new index I just see name last_name otherinformation
Have you an idea ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your event as _raw when piped to collect that value will be used as the full event for your summary.
You should specify only the fields you care about with table before you run collect:
index=A | script python extractname | table name last_name address zipcode | collect index=B
You could use table * | fields - _raw to remove only _raw from your results, but I strongly recommend specifying the full set of fields you actually want to be present in your summary index instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your event as _raw when piped to collect that value will be used as the full event for your summary.
You should specify only the fields you care about with table before you run collect:
index=A | script python extractname | table name last_name address zipcode | collect index=B
You could use table * | fields - _raw to remove only _raw from your results, but I strongly recommend specifying the full set of fields you actually want to be present in your summary index instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot.
It is working with table * | fields - _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent. Please accept the answer so that this question doesn't still appear to be open.
And again, I strongly suggest you use fields <list of fields you definitely want> instead of just removing _raw. But I obviously don't know your entire use case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have in index B exactly the _raw of index A and not the columns that I had after the extraction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you include the output of index="A" | script python extractname | table *, and the output of index="B"?
Build Scalable Security While Moving to Cloud - Guide From Clayton Homes
Mission Control | Explore the latest release of Splunk Mission Control (2.3)
Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7
