Archive

Upsert Data on Ingest

lampert_marksu
Explorer

I have an index set up and functioning properly on initial ingest. What I'd like to accomplish is the "upsert" of events on future files.

Example

File 1 (childCount_08-13-2013.txt)

Date, Name, # of Kids

08/13/2013, Nicky Blank, 4

08/13/2013, Mike Dorn, 2

08/13/2013, Les Paul, 1

File 2 (childCount_08-23-2013.txt)

Date, Name, # of Kids

08/23/2013, Nicky Blank, 6

08/23/2013, Phillip Jacks, 3

08/23/2013, Tina Walls, 1

DESIRED OUTPUT (Contains all unique entries and updates any existing entries)

08/23/2013, Nicky Blank, 6

08/13/2013, Mike Dorn, 2

08/13/2013, Les Paul, 1

08/23/2013, Phillip Jacks, 3

08/23/2013, Tina Walls, 1

Any assistance would be greatly appreciated.

0 Karma
1 Solution

Ayn
Legend

Data in Splunk's index cannot be modified - once it's indexed the data stays the same. What you could do though is create tables like the one you show using stats for instance.

<basesearch> | stats latest(Date) as Date,latest(num_kids) by Name

View solution in original post

0 Karma

Ayn
Legend

Data in Splunk's index cannot be modified - once it's indexed the data stays the same. What you could do though is create tables like the one you show using stats for instance.

<basesearch> | stats latest(Date) as Date,latest(num_kids) by Name

View solution in original post

0 Karma

lampert_marksu
Explorer

Ah, that makes sense. Thanks for the feedback; this is helpful.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!