Hey. I have these kind of datas every one week :
"SilkWorm48000",SwitchWWN ,160,"SwSerialNumber","http://UrlManagement/",swIsPrincipal,"42.2","v6.4.3"
(host=sancocsw2 sourcetype=CSWInfos source=\bob01\sancocsw2_infos.txt)
And these kind of datas every 2 minutes :
State,Status,CPU Usage,Memory Usage
(host=sancocsw2 sourcetype=CSWInfos source=\bob01\sancocsw2_infos.txt)
I would have a table that join those 2 datas in one table, that is all fields from the second data joined with the fields of the first one.
This search display all the lines of data i need :
index=main sourcetype="cswinfos" OR sourcetype="cswstatus"| dedup host,sourcetype sortby -_time
I saw in the doc many ways to do that(Like append,appendcols,appendpipe,join,...), sometimes with a SubSearch and I would know which one is the best practise.
Thanks for your help,
... View more