Getting Data In

How can we delete particular data from KVStore using REST API/ CURL without using _key?

kamlesh_vaghela
SplunkTrust
SplunkTrust

Here, the requirement is to delete all the data from KVStore having the particular KVStore filed value.

Example: I have a KVStore for student data with Name, Std, roll_number.

In my KVStore, I have all the student information across all the standards.

So my use cases re,

  1. If I want to delete all the records of 10th standard's students then how can I do using REST API
  2. If I want to delete all the records of 5th to 10th standard's students then how can I do using REST API.

You can create as many use cases as you think. 🙂

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

By using below options, you can delete all the records from specific collection OR delete specific records from specific collection using _key ID. Let's see all the ways of deleting records using CURL.

1) Delete all records in the "kvstorecoll" collection:

curl -k -u admin:yourpassword -X DELETE https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll

2) Delete the record with the key ID " 5410be5441ba15298e4624d1":

curl -k -u admin:yourpassword -X DELETE https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll/5410be5441...

You can find the above curl commands in https://dev.splunk.com/enterprise/docs/developapps/kvstore/ documentation.

As per our requirement, we need to delete specific records.

For deleting specific records, we have to use query parameters in our REST/CURL.

3) Delete the records with the Standard value 10

curl -k -u admin:admin123 https://localhost:8089/servicesNS/nobody/test/storage/collections/data/kvstorecoll\?query\=\{\"std\"... -g -X DELETE

4) Delete the records with the Standard value from 5 to 10

curl -k -u admin:admin123 https://localhost:8089/servicesNS/nobody/test/storage/collections/data/kvstorecoll\?query\=\{\"\$and\":\[\{\"std\":\{\"\$gt\":4\}\},\{\"id\":\{\"$lt\":11\}\}\]\} -g -X DELETE

Note: In case, any REST/CURL not working as expected then make sure your query parameter value which should be encoded with the % encoding.

My 4th example doesn't work properly for me for a few cases. So converted it into % encoding and It works like charm.

Updated 4)

curl -k -u admin:admin123 https://localhost:8089/servicesNS/nobody/test/storage/collections/data/kvstorecoll\?query=%7B%20%22%... -g -X DELETE

You can find more about the query parameters and operators in the below docs.

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTkvstore

Happy Splunking

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

By using below options, you can delete all the records from specific collection OR delete specific records from specific collection using _key ID. Let's see all the ways of deleting records using CURL.

1) Delete all records in the "kvstorecoll" collection:

curl -k -u admin:yourpassword -X DELETE https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll

2) Delete the record with the key ID " 5410be5441ba15298e4624d1":

curl -k -u admin:yourpassword -X DELETE https://localhost:8089/servicesNS/nobody/kvstoretest/storage/collections/data/kvstorecoll/5410be5441...

You can find the above curl commands in https://dev.splunk.com/enterprise/docs/developapps/kvstore/ documentation.

As per our requirement, we need to delete specific records.

For deleting specific records, we have to use query parameters in our REST/CURL.

3) Delete the records with the Standard value 10

curl -k -u admin:admin123 https://localhost:8089/servicesNS/nobody/test/storage/collections/data/kvstorecoll\?query\=\{\"std\"... -g -X DELETE

4) Delete the records with the Standard value from 5 to 10

curl -k -u admin:admin123 https://localhost:8089/servicesNS/nobody/test/storage/collections/data/kvstorecoll\?query\=\{\"\$and\":\[\{\"std\":\{\"\$gt\":4\}\},\{\"id\":\{\"$lt\":11\}\}\]\} -g -X DELETE

Note: In case, any REST/CURL not working as expected then make sure your query parameter value which should be encoded with the % encoding.

My 4th example doesn't work properly for me for a few cases. So converted it into % encoding and It works like charm.

Updated 4)

curl -k -u admin:admin123 https://localhost:8089/servicesNS/nobody/test/storage/collections/data/kvstorecoll\?query=%7B%20%22%... -g -X DELETE

You can find more about the query parameters and operators in the below docs.

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTkvstore

Happy Splunking

jkat54
SplunkTrust
SplunkTrust

There are a couple of apps out there that give you a curl SPL command too... you could in theory do this from splunk search.

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...