How to append the only common events from index B ...

manikanthkoti · ‎05-30-2020

Hi Everyone

I have two Indexes (IndexA and IndexB)in both i have some common events. I need to append only the common events from Index B

to the IndexA Data?

Syntax Like This?

index=indexA |append [search index=indexB |Here write filter condition]

Please help me out this?

gcusello · ‎05-30-2020

Hi @manikanthkoti,
your approach can work but there's le limit of 50,000 results in the subsearch and probably your search is very slow.
You can also use join command but I don't like because it's very slow.

You could also try something like this:

index=indexA OR index=indexB
| stats values(field1) AS field1 values(field2) AS field2 dc(index) AS dc_index BY common_field1 common_field2
| where dc_index=2

In this example common_field1 and common_field2 are the common fields used to group results and field1 and field2 are some fields that you need to have in your results.
In this way you haven't subsearchs so no limits in results and this search is faster than the others two.

Ciao.
Giuseppe

to4kawa · ‎05-30-2020

use join instead of append

How to append the only common events from index B which are already available in INDEX A?

search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!