Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to prevent duplicates in KV Store?

dteo827
Explorer
‎12-09-2015 09:02 AM

Greetings,
I regularly update a KV Store with new IP addresses/websites to monitor for in my network traffic.

Sometimes I get redundant information, and put in the same IP's/website multiple times.

How can I prevent duplicates in the KV Store?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-24-2019 05:55 AM

Hi @dteo827,

Do use dedup command while updating the lookup. To make sure that your lookup don't have duplicate values at any point of time set key (primary key, which can not be duplicated) in kvstore (Reference).

0 Karma
Reply

christoffertoft
Communicator
‎04-24-2019 06:51 AM

This might work, but to play the devil's advocate here:

Ponder that the list has an IP and host of example.comwith ip 192.168.0.1
At some point, that key-value expires (i.e is old), perhaps because the IP has changed. At a later point in time, the ip 192.168.0.2 resolves to example.com, which then should be put in the KV store. At this point, without using timestamps and additional logic, you cant be certain the dedupped hostname (for example) removes the correct entry in the KV-store.

I've had huge problems with the KV-store functionalities, where inputlookup is great in terms of providing data on a row by row basis, making it easy to discern duplicates etc, but has the requirement of being the first command in the pipe. lookup on the other hand can be anywhere in a search, but does not provide a way to separate colliding entries (i.e. the output will be similar to that of doing a | stats values(*) by x

0 Karma
Reply

renjith_nair
Legend
‎12-13-2015 08:33 PM

If you are populating kv store with a search, then you can check the existence of IP's and store only those which are not inside, something like

<your search terms>|inputlookup lookup_name where NOT [|inputlookup lookup_name where IP="*"|fields IP]
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

christoffertoft
Communicator
‎04-24-2019 04:21 AM

Inputlookup has to be the first command of a search

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...