Solved: How to create data according to search results?

NimrodSky · ‎11-03-2015

Hi all,

I"m kind of new to Splunk to maybe I am not using the right terms, but I need help with this scenario:

I have a stream of events indexed in my Splunk, where events can be "user_added" or "user_removed". I want to create a database with valid users, meaning that when I get "user_added" I will add the username to a new table, and when I get "user_removed" I will remove it from the table.

Thanks for your help

woodcock · ‎11-03-2015

You need to create a KV Store Collection (your DB), then start a Real-Time search with script actions to call the REST Endpoints (described in link below) to add and remove individual records.

http://dev.splunk.com/view/SP-CAAAEZG

View solution in original post

woodcock · ‎11-03-2015

You need to create a KV Store Collection (your DB), then start a Real-Time search with script actions to call the REST Endpoints (described in link below) to add and remove individual records.

http://dev.splunk.com/view/SP-CAAAEZG

DMohn · ‎11-03-2015

Can you please specify what you mean with "creating a database"? Do you want a Splunk report with all valid users, or do you really want to export the search results into a database?

NimrodSky · ‎11-03-2015

I want this list to be available for other searchs, so I think I need to export the results, and not only that, I want to remove existing data according to new results

How to create data according to search results?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor