Knowledge Management

Dynamic updating of multiple KV Store rows

david_keough
Explorer

tl:dr - questions I am looking to get answers for:

1.  Is there a better way to do this?
2. Is it possible to dynamically declare and store the _key values that I want to update?

---------------------------------------------------

I have a KV Store that holds statefulness data from a program that runs over 300 different tests.
The KV Store presently string fields with data that I filled from a previous query with the last_status field set as the string "stub" while I'm working on getting it functional.  The field names in the kvstore are: last_time last_status test_name rule_name test_target and of course the hidden _key field.

I'm trying to update the last_time and last_status when the conditions are suitable.  The suitable condition is when the test, rule, and target fields match a subsearch with the same values in their respective fields.

I'm having issues with getting the KV Store to update.  I've seen the following approaches suggested already from the questions I could find and the kb type articles.

 

 

| inputlookup csvcoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True

 

 

Which led me to finding a suggestion of 

 

 

| inputlookup csvcoll_lookup | where _key IN("544948df3ec32d7a4c1d9755","544948df3ec32d7a4c1d9756","544948df3ec32d7a4c1d9757") | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True

 

 


I have something similar to the following query (some vars and objects have have their names changed to some degree, but still represent the logic I'm trying to work with.

 

 

| inputlookup kvstoreA
| eval
    last_time=strftime(last_time,"%Y-%m-%dT%H:%M:%S"),
    key=_key,
    joinField=test_name+rule_name+test_target

| join type=inner [ 
    search index=a sourcetype=b NOT variable="ignore"
    | dedup testName testTargetDesc ruleName
    | eval
        Event_last_time=strftime(last_time,"%Y-%m-%dT%H:%M:%S"),
        Event_last_status=case(eventType=="A","healthy",eventType=="B","unhealthy",TRUE(),"undefined"),
        Event_test_name='alert.testName',
        Event_rule_name='alert.ruleName',
        Event_test_target='alert.testTargetsDescription{}',
        joinField=Event_test_name+Event_rule_name+Event_test_target]
| where Event_last_time!=last_time
| eval 
    last_status=Event_last_status,
    last_time=Event_last_time

| fields last_time last_status test_name rule_name test_target view_key
| outputlookup kvstoreA key_field=view_key append=True

 

 

 
From what I have read and tested so far I am sure that I don't know how to extract the _key values in a dynamic way that can be applied to update specific entries in the table.

1.  Is there a better way to do this?
2. Is it possible to dynamically declare and store the _key values that I want to update?

Labels (1)
0 Karma
1 Solution

david_keough
Explorer

The last_time field is a numeric field that cannot accept a formatted time string value.

This was preventing the new data from applying to the fields.  There is no notification of failure when it fails.

Either store the datetime as epoch numeric or as a formatted string str value.

The function works and is essentially repaired.

 

| inputlookup kvstoreA
| eval
    joinField=test_name+rule_name+test_target

| join type=inner [ 
    search index=a sourcetype=b NOT variable="ignore"
    | dedup testName testTargetDesc ruleName
    | eval
        Event_last_time=_time,
        Event_last_status=case(eventType=="A","healthy",eventType=="B","unhealthy",TRUE(),"undefined"),
        Event_test_name='alert.testName',
        Event_rule_name='alert.ruleName',
        Event_test_target='alert.testTargetsDescription{}',
        joinField=Event_test_name+Event_rule_name+Event_test_target]
| where Event_last_time!=last_time
| eval 
    last_status=Event_last_status,
    last_time=Event_last_time

| fields last_time last_status test_name rule_name test_target
| outputlookup kvstoreA append=True

View solution in original post

0 Karma

david_keough
Explorer

The last_time field is a numeric field that cannot accept a formatted time string value.

This was preventing the new data from applying to the fields.  There is no notification of failure when it fails.

Either store the datetime as epoch numeric or as a formatted string str value.

The function works and is essentially repaired.

 

| inputlookup kvstoreA
| eval
    joinField=test_name+rule_name+test_target

| join type=inner [ 
    search index=a sourcetype=b NOT variable="ignore"
    | dedup testName testTargetDesc ruleName
    | eval
        Event_last_time=_time,
        Event_last_status=case(eventType=="A","healthy",eventType=="B","unhealthy",TRUE(),"undefined"),
        Event_test_name='alert.testName',
        Event_rule_name='alert.ruleName',
        Event_test_target='alert.testTargetsDescription{}',
        joinField=Event_test_name+Event_rule_name+Event_test_target]
| where Event_last_time!=last_time
| eval 
    last_status=Event_last_status,
    last_time=Event_last_time

| fields last_time last_status test_name rule_name test_target
| outputlookup kvstoreA append=True
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...