Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Schedule a job to delete 30 days older records from KV Store?

rishiaggarwal
Explorer
‎04-04-2019 06:43 PM

Hi All,

I have created a KV store which receives 100,000 records daily. I need only 30 days of historical data to produce a report. KV Store has a unique key (_key) for each record. I knew in the past we can't use saved search you to delete selected records from KV Store. Can anyone suggest me the way of deleting selected records (older than 30 days), without manual intervention? Can REST call be scheduled to delete them?

Thanks in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎04-05-2019 07:26 AM

Do you have any timestamps on the events in the KV or a way to calculate what events were written when? If so it would be easy to setup a scheduled search that runs once a day that filters out events that are > 30 days ago. Conceptually it would be this if you have it attached to a lookup definition:

| inputlookup KVStoreLookupDefinition
| where epochtimefield>=relative_time(now(), "-30d@d")
| outputlookup KVStoreLookupDefinition
If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎04-05-2019 07:26 AM

Do you have any timestamps on the events in the KV or a way to calculate what events were written when? If so it would be easy to setup a scheduled search that runs once a day that filters out events that are > 30 days ago. Conceptually it would be this if you have it attached to a lookup definition:

| inputlookup KVStoreLookupDefinition
| where epochtimefield>=relative_time(now(), "-30d@d")
| outputlookup KVStoreLookupDefinition
If this comment/answer was helpful, please up vote it. Thank you.
Reply
Solved! Jump to solution

dinesh_cemad
Explorer
‎02-16-2020 08:12 PM

hi @dmarling

Does this retain the _key field?

0 Karma
Reply
Solved! Jump to solution

rishiaggarwal
Explorer
‎04-17-2019 08:55 PM

Can you please post that as an answer so that I can accept the answer and share some award points. Thanks.

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎04-18-2019 04:51 AM

Done. Thank you for reminding me to do this.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

rishiaggarwal
Explorer
‎04-17-2019 08:54 PM

Simple and Effective solution. Thanks for your assistance.

0 Karma
Reply
Solved! Jump to solution

dinesh_cemad
Explorer
‎02-16-2020 08:24 PM

hi @dmarling

Does this keep _key field values?

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-16-2020 09:54 PM

If | inputlookup KVStoreLookupDefinition contains _key field then it will keep otherwise this query overwrites _key field. If you are using any field from your data as _key then you can use key_field in outputlookup.

| inputlookup KVStoreLookupDefinition
 | where epochtimefield>=relative_time(now(), "-30d@d")
 | outputlookup key_field=<field> KVStoreLookupDefinition
Reply
Solved! Jump to solution

dmarling
Builder
‎02-17-2020 05:12 AM

This is a better response. Thanks @manjunathmeti 🙂

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-17-2020 06:02 AM

You are welcome @dmarling 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...