- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to delete a KV STORE lookup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to delete a KV STORE lookup?
I have write permissions on a KV Store lookup. When I try to press "delete" on the Lookup Editor app, it says "Lookup file could not be deleted". I'm not trying to delete information, I want to delete the whole lookup. How can I do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To delete the config for the collection, rather than the records within it, use:
curl -k -u admin:changeme -X DELETE https://<host>:8089/servicesNS/nobody/<app>/storage/collections/config/<collection>Deleting the transform lookup configuration may still work, but this is the solution currently provided in the Splunk docs at https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/usetherestapitomanagekv/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have you tried to send DELETE call to
https://{{sh_url}}:8089/servicesNS/nobody/{{sh_app_name}}/data/transforms/lookups/{{lookup_name}}
you might need to change nobody to specific user if the lookup is defined having user and not app level permission.
for example using curl
curl -X DELETE \
https://{{sh_url}}:8089/servicesNS/nobody/{{sh_app_name}}/data/transforms/lookups/{{lookup_name}}
Regards,
ILYA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to use clean command, on the server it said "deleted" but Lookup Editor still claims the lookup exists.
The simple command "|outputlookup " won't help me because I want to delete the lookup table itself and not just the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try the following command
curl -k -u splunkadmin:splunkadmin --request DELETE https://localhost:8089/servicesNS/splunkadmin/search/data/transforms/lookups/lookuptest
Here
splunkadmin is the username/password
lookuptest is the definition name.
search is the app name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I tried and it says "curl: (35) TCP connection reset by peer" even after replacing the values you mentioned ever with different admin users.
Is there no way to use the GUI to delete?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the above command and let me know.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
