KV Store Update Multiple Records

kdroddy · ‎04-29-2020

Quick question about KV store - wondering what the best way to update multiple records at once via search may be?

Example - let's say I have the most recent logon for users for the past week:

user1 - last_logon_time
user2 - last_logon_time
etc....

I would like to query last_logon_time for all users for the past day, then update the KV store with the most recent info. The goal would be to set this up as a schedule search running daily to keep the KV store updated.

Any thoughts?

sciencenfaith · ‎09-03-2020

If I understood the question correctly, it seems very similar to updating a KV Store as described in https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/uselookupswithkvstore/, but with multiple entries at once. So, instead of:

| inputlookup csvcoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True

try something like:

| inputlookup csvcoll_lookup | where _key IN("544948df3ec32d7a4c1d9755","544948df3ec32d7a4c1d9756","544948df3ec32d7a4c1d9757") | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True

The critical difference is "| where _key IN" to list the keys you want to manipulate instead of searching for a single one.

EDIT: sorry, I replied to the reply instead of the OP. Removed original and posted correctly.

kamlesh_vaghela · ‎04-29-2020

@kdroddy

Can you please share your existing sample search/ code for updating KVStore and the sample KVstore fields?

KV Store Update Multiple Records

kvstore

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Part 1: A Guide to Maximizing Splunk IT Service Intelligence