Hello Splunkers,
I've got an existing index which I would like to process and collect in a new Index. My rough idea is as following:
Use Sort and get the latest(Newest) event in the existing Index - BY(Group by) ID
Collect(Copy) only the first(Newest) event from the Above Index to a New Index.
My sample data in the existing Index looks like below:
ID, Action, DateTime
1, Purchase, 11.08.2019-16:00
1, Purchase, 11.08.2019-15:30
2, Purchase, 11.08.2019-13:00
3, Purchase, 11.08.2019-16:00
The new data in my New Index should be a Collect from the Above Index
ID, Action, DateTime
1, Purchase, 11.08.2019-16:00
2, Purchase, 11.08.2019-13:00
3, Purchase, 11.08.2019-16:00
If you observe the second Event for ID 1 is not present in the second Index.
I'm believing this should be possible using Sort, Dedup and Collect. Please suggest the best possible method. I've to move an Index of around 5GB.
Thanks!!
... View more