Solved: Upsert Data on Ingest

lampert_marksu · ‎02-19-2014

I have an index set up and functioning properly on initial ingest. What I'd like to accomplish is the "upsert" of events on future files.

Example

File 1 (childCount_08-13-2013.txt)

Date, Name, # of Kids

08/13/2013, Nicky Blank, 4

08/13/2013, Mike Dorn, 2

08/13/2013, Les Paul, 1

File 2 (childCount_08-23-2013.txt)

Date, Name, # of Kids

08/23/2013, Nicky Blank, 6

08/23/2013, Phillip Jacks, 3

08/23/2013, Tina Walls, 1

DESIRED OUTPUT (Contains all unique entries and updates any existing entries)

08/23/2013, Nicky Blank, 6

08/13/2013, Mike Dorn, 2

08/13/2013, Les Paul, 1

08/23/2013, Phillip Jacks, 3

08/23/2013, Tina Walls, 1

Any assistance would be greatly appreciated.

Ayn · ‎02-19-2014

Data in Splunk's index cannot be modified - once it's indexed the data stays the same. What you could do though is create tables like the one you show using stats for instance.

<basesearch> | stats latest(Date) as Date,latest(num_kids) by Name

View solution in original post

Ayn · ‎02-19-2014

Data in Splunk's index cannot be modified - once it's indexed the data stays the same. What you could do though is create tables like the one you show using stats for instance.

<basesearch> | stats latest(Date) as Date,latest(num_kids) by Name

lampert_marksu · ‎02-19-2014

Ah, that makes sense. Thanks for the feedback; this is helpful.

Upsert Data on Ingest

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Upsert Data on Ingest

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES