Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to delete KV Store data older than 30 days?

AditiKulkarni
New Member
‎10-27-2015 12:03 AM

In our application, there is a requirement where we have to retain data in KV Store for a month (i.e. 30 days) and delete data that is older than 30 days. Is there any way/configuration where we can delete the KV Store data older than 30 days? I don't want to use scheduled search for this.

Could anyone give suggestion?

Tags (2)
0 Karma
Reply

tfechner
Path Finder
‎09-03-2018 07:12 AM

Any new possibility in 7.1 to remove old entries in a timebased kvstore?

0 Karma
Reply

masonmorales
Influencer
‎05-19-2016 10:45 AM

Do you store any kind of timestamp in your KV store? If so, what is it called and please give an example of its value.

0 Karma
Reply

masonmorales
Influencer
‎05-19-2016 10:47 AM

Also, you WILL have to use a scheduled search for this, but you only need to run it once/day. Just out of curiosity, why wouldn't you want to?

0 Karma
Reply

Jason
Motivator
‎05-19-2016 09:30 AM

As far as I know, there is no method for deleting individual records from the KV store using their keys, from the search bar, or automatically from a configuration somewhere.

You could use the inputlookup and outputlookup (without append=t) commands to bring in the entirety of the collection, search through it to keep what you want (likely some sort of where on a time field), and output it back to the kv store.

Deletion is currently handled through hitting a REST endpoint with a DELETE method. Example in the UI using the Javascript SDK.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...