Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to only append the event based on the existing records from the main search.

xzywind
New Member
‎01-25-2019 01:30 AM

Hi.

i have a search which need to combine fields from two index. i know i can use "Join" but it is too costly thats why i start looking into the "Append" command.

The question is i found i have to enter the field value in the "append search" to get the correct final table, if i dont put the value in the append search, this field will missing in the final table. Below i have attached some of the code.

index=year* Code=12 OR Code=13 Number=12345678
| rex ****************
| rex ****************
| eval *******************
| eval 001=xxxxx
| append
[search index=month* Word=xys OR word=ayd Number=12345678| fields + day week time]
| rex ****************
| rex ****************
| eval *******************
| eval 002=xxxxxxx
| stats
first(001) as 001
first(002) as 002
by Number
|table 001 002

The code above works find but once i remove the Number=12345678 in the append search, the 002 field which is from the Append search cannot show in the table, and all the remaining events in index=month* will show in the table. is it possible to solve this? thanks a lot!!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...