Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent duplicates in KV Store?

dteo827
Explorer
‎12-09-2015 09:02 AM

Greetings,
I regularly update a KV Store with new IP addresses/websites to monitor for in my network traffic.

Sometimes I get redundant information, and put in the same IP's/website multiple times.

How can I prevent duplicates in the KV Store?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-24-2019 05:55 AM

Hi @dteo827,

Do use dedup command while updating the lookup. To make sure that your lookup don't have duplicate values at any point of time set key (primary key, which can not be duplicated) in kvstore (Reference).

0 Karma
Reply

christoffertoft
Communicator
‎04-24-2019 06:51 AM

This might work, but to play the devil's advocate here:

Ponder that the list has an IP and host of example.comwith ip 192.168.0.1
At some point, that key-value expires (i.e is old), perhaps because the IP has changed. At a later point in time, the ip 192.168.0.2 resolves to example.com, which then should be put in the KV store. At this point, without using timestamps and additional logic, you cant be certain the dedupped hostname (for example) removes the correct entry in the KV-store.

I've had huge problems with the KV-store functionalities, where inputlookup is great in terms of providing data on a row by row basis, making it easy to discern duplicates etc, but has the requirement of being the first command in the pipe. lookup on the other hand can be anywhere in a search, but does not provide a way to separate colliding entries (i.e. the output will be similar to that of doing a | stats values(*) by x

0 Karma
Reply

renjith_nair
Legend
‎12-13-2015 08:33 PM

If you are populating kv store with a search, then you can check the existence of IP's and store only those which are not inside, something like

<your search terms>|inputlookup lookup_name where NOT [|inputlookup lookup_name where IP="*"|fields IP]
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

christoffertoft
Communicator
‎04-24-2019 04:21 AM

Inputlookup has to be the first command of a search

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...