Is there an easy way to update a record in KV Stor...

clyde772 · ‎04-14-2015

It seems using KV store from migrating from lookups seems to be very easy. Just outputlookup to a KV store stanza. But Is there an easy way to update a record, instead of just bulk reloading of a lookup table. For example, I would like to update a field for a record in KV store from the results from a Splunk search.

sundareshr · ‎05-03-2016

Here's a good write up on kvstore

http://dev.splunk.com/view/webframework-developapps/SP-CAAAEZH

dgladkikh_splun · ‎04-14-2015

Please take a look on http://dev.splunk.com/view/SP-CAAAEZH

By default, each KV Store record has a
unique key ID, which is stored in the
internal "_key" field. When you use
outputlookup to write to the KV Store,
a key ID is autogenerated if you don't
specify one explicitly. If you want to
modify a specific record, you need to
provide its key ID.

So to do what you want you need: a) know _key field b) use append=True c) have the whole record (not just one field), because outputlookup with append=true will replace existing document with specified _key.

TonyLeeVT · ‎05-03-2016

Would really appreciate an example one-liner. Thanks!

jagadeeshm · ‎01-22-2018

yeah, is there an example?

clyde772 · ‎04-16-2015

Thanks! dgladkikh_splunk!!

Is there an easy way to update a record in KV Store from the results of a Splunk search instead of bulk reloading a lookup table?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...