Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Deleting Data from KV Store

newbie2tech
Communicator
‎02-26-2020 02:34 AM

Hi Team,

We have a kvstore with about ~95 million events dating back to 3 years.

Key of the kvstore is unique numeric field. We also have timestamp among other fields.

We have requirement to only retain only 1 year worth of data.

I would like to know what would be the best way to get rid of old data.

Also is there a way to specify to drop any data which is older than 1 year going forward like index retention time.

We have clustered sh and indexer environment.

We are at Splunk version 6.11

Thank you!

0 Karma
Reply

darrenfuller
Contributor
‎02-26-2020 10:52 AM

Hi newbie2tech,

You need to create a mongo formatted query (since kvstore is a mongodb at its core, albeit a modified mongodb, so you can't just point a mongodb tool at it to manage it.)

Like so, if you have a query to look at your kvstore like so: 

 |inputlookup my_kv_store where LastUpdateTime<1551139200

in Mongodb query format that would look like so: 

 {"LastUpdateTime": {"$lt": 1551139200}}

Next, you need to take that and url encode it, using a tool like: http://meyerweb.com/eric/tools/dencoder/ which turns this: 

{"LastUpdateTime": {"$lt": 1551139200}}

Into this: 

%7B%22LastUpdateTime%22%3A%20%7B%22%24lt%22%3A%201551139200%7D%7D

Lastly, run the following from a command line that supports curl, and can access your Splunk search head: 

curl -k -u admin:changeme -X DELETE https://splunkhost:8089/servicesNS/nobody/<appname_where_kvstore_is_defined>/storage/collections/dat...

Making sure you replace the and placeholders with the actual values relevant to your environment and pasting your mongo query after the query= point in the command.

Last point, measure twice, cut once.. Maybe create a test kvstore, put some dummy data in it and test this before you run it against your 3 years kvstore data and accidentally blow it all away. A backup of the kvstore might also be in order before this. (Call me paranoid).

Good luck.
Darren

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...