Solved: Upsert Data on Ingest

lampert_marksu · ‎02-19-2014

I have an index set up and functioning properly on initial ingest. What I'd like to accomplish is the "upsert" of events on future files.

Example

File 1 (childCount_08-13-2013.txt)

Date, Name, # of Kids

08/13/2013, Nicky Blank, 4

08/13/2013, Mike Dorn, 2

08/13/2013, Les Paul, 1

File 2 (childCount_08-23-2013.txt)

Date, Name, # of Kids

08/23/2013, Nicky Blank, 6

08/23/2013, Phillip Jacks, 3

08/23/2013, Tina Walls, 1

DESIRED OUTPUT (Contains all unique entries and updates any existing entries)

08/23/2013, Nicky Blank, 6

08/13/2013, Mike Dorn, 2

08/13/2013, Les Paul, 1

08/23/2013, Phillip Jacks, 3

08/23/2013, Tina Walls, 1

Any assistance would be greatly appreciated.

Ayn · ‎02-19-2014

Data in Splunk's index cannot be modified - once it's indexed the data stays the same. What you could do though is create tables like the one you show using stats for instance.

<basesearch> | stats latest(Date) as Date,latest(num_kids) by Name

View solution in original post

Ayn · ‎02-19-2014

Data in Splunk's index cannot be modified - once it's indexed the data stays the same. What you could do though is create tables like the one you show using stats for instance.

<basesearch> | stats latest(Date) as Date,latest(num_kids) by Name

lampert_marksu · ‎02-19-2014

Ah, that makes sense. Thanks for the feedback; this is helpful.

Upsert Data on Ingest

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation