https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/489317#M4380 <P>Quick question about KV store - wondering what the best way to update multiple records at once via search may be?</P> <P>Example - let's say I have the most recent logon for users for the past week:</P> <P>user1 - last_logon_time<BR /> user2 - last_logon_time<BR /> etc....</P> <P>I would like to query last_logon_time for all users for the past day, then update the KV store with the most recent info. The goal would be to set this up as a schedule search running daily to keep the KV store updated.</P> <P>Any thoughts?</P> Wed, 30 Sep 2020 05:15:39 GMT kdroddy 2020-09-30T05:15:39Z https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/489317#M4380 <P>Quick question about KV store - wondering what the best way to update multiple records at once via search may be?</P> <P>Example - let's say I have the most recent logon for users for the past week:</P> <P>user1 - last_logon_time<BR /> user2 - last_logon_time<BR /> etc....</P> <P>I would like to query last_logon_time for all users for the past day, then update the KV store with the most recent info. The goal would be to set this up as a schedule search running daily to keep the KV store updated.</P> <P>Any thoughts?</P> Wed, 30 Sep 2020 05:15:39 GMT https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/489317#M4380 kdroddy 2020-09-30T05:15:39Z https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/489318#M4381 <P>@kdroddy </P> <P>Can you please share your existing sample search/ code for updating KVStore and the sample KVstore fields?</P> Thu, 30 Apr 2020 05:18:24 GMT https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/489318#M4381 kamlesh_vaghela 2020-04-30T05:18:24Z https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/517829#M4722 <P>If I understood the question correctly, it seems very similar to updating a KV Store as described in&nbsp;<A href="https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/uselookupswithkvstore/" target="_blank" rel="noopener">https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/uselookupswithkvstore/</A>, but with multiple entries at once. So, instead of:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup csvcoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True</LI-CODE><P>&nbsp;</P><P>try something like:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup csvcoll_lookup | where _key IN("544948df3ec32d7a4c1d9755","544948df3ec32d7a4c1d9756","544948df3ec32d7a4c1d9757") | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The critical difference is "<STRONG>| where _key IN</STRONG>" to list the keys you want to manipulate instead of searching for a single one.&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>EDIT: sorry, I replied to the reply instead of the OP. Removed original and posted correctly.</P> Thu, 03 Sep 2020 21:26:16 GMT https://community.splunk.com/t5/Knowledge-Management/KV-Store-Update-Multiple-Records/m-p/517829#M4722 sciencenfaith 2020-09-03T21:26:16Z