I have two indices.
- contains device data including IP, date last seen, vendor, model
- contains netflow data IPs, bytes
Is it possible to create a consolidated index that appends the device data to the netflow data? If so, how would I do that?
If they share a similar index pattern naming convention, then yes.
Otherwise you can try setting up a pattern of *.
Thanks Mark, if I wanted to add the field data to the netflow data; what's the best way to set that up?
For example:
- device data - 10.10.1.1, dell, poweredge
- netflow data - 10.10.1.1, 350
So since the IP addresses match it's the same device and I want to create one record.
Where is the device data kept?
The device data is a different _type in the same index
You probably want to change that, _type will no longer exist in 7.0.
With this though, you really want to add that data to the event during ingestion.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.