Solved: How to create data according to search results?

NimrodSky · ‎11-03-2015

Hi all,

I"m kind of new to Splunk to maybe I am not using the right terms, but I need help with this scenario:

I have a stream of events indexed in my Splunk, where events can be "user_added" or "user_removed". I want to create a database with valid users, meaning that when I get "user_added" I will add the username to a new table, and when I get "user_removed" I will remove it from the table.

Thanks for your help

woodcock · ‎11-03-2015

You need to create a KV Store Collection (your DB), then start a Real-Time search with script actions to call the REST Endpoints (described in link below) to add and remove individual records.

http://dev.splunk.com/view/SP-CAAAEZG

View solution in original post

woodcock · ‎11-03-2015

You need to create a KV Store Collection (your DB), then start a Real-Time search with script actions to call the REST Endpoints (described in link below) to add and remove individual records.

http://dev.splunk.com/view/SP-CAAAEZG

DMohn · ‎11-03-2015

Can you please specify what you mean with "creating a database"? Do you want a Splunk report with all valid users, or do you really want to export the search results into a database?

NimrodSky · ‎11-03-2015

I want this list to be available for other searchs, so I think I need to export the results, and not only that, I want to remove existing data according to new results

How to create data according to search results?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms