Update existing index with CSV files containing ch...

wredny125 · ‎07-09-2015

Hi Guys,

I have a case where I'm importing every week a new dump of a data base to Splunk index using CSV files (I'm deleting the index with old data, and then recreating it back with new once). Right now I will receive not the whole dump of the DB in CSV but only CSV files with the items that have recently changed or have been added.

What would be the best way to update my existing index with this incremental csv files in Splunk and how could I do that?

Many thanks in advance

martin_mueller · ‎07-09-2015

Splunk doesn't do updates on index data, it's insert-only.

You could insert a new version of an event, and select the most recent version in your search, but that can be complicated and expensive.
You could store the entire set in a lookup file or Splunk's Key-Value-Store which both support updates but may or may not be suitable for your use case.
Have you considered leaving the data in an RDBMS and querying that from Splunk at search time using DB Connect?

Update existing index with CSV files containing changes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation