Hi folks,

I have a use case problem and could appreciate a peer review. My use case is to use a kvstore lookup as a journal to track events that have a specific rule that triggers an addition action/search.

The logic workflow is as follows;
1. event comes into Splunk a couple of times a day
2. a splunk search runs 4 times a day and identifies the event for handling.
3. for the first instance of event
4. splunk is used to normalize/creating fields for event so that the value of is mapped to Field3
5. a table command is used to verify that all required fields for follow up processing (eg field1, field2, field3, field4) are formatted correctly
6. a lookup is then used to query the kvstore based on Field3 for values in field5 (eg. | lookup kvstore field3 output field5)
7. a filter is then used to identify event ABC if it has a value in field5 that is null. (eg. I where where isnull(field5)
8. a custommand command is run; which generates a value for field5
10. the results are sent back to the kvstore using a outputlookup (| outputlookup | outputlookup append=t kvstore)

question 1
When the second splunk search runs and picks up event again, how do I tweak the above logic so as to prevent splunk from picking up that event and processing it with the customcommand? Meaning how do I prevent the duplication?

How do I use lookup to identify an existing match of a kvstore entry on top of the one that I have already defined? Or is there a better way?

question 2
How do I an outputlookup where I can drop kvstore entries after a period of time eg, like after 2 weeks?
(note all fields in my collections.conf are currently strings). Do I need to setup my kvstore definition as a temporal lookup, taking one of my fields in my collections.conf and make it a time/numeric value?